Existence Is Authorization

A handler given a caller-supplied identifier checks that the named resource exists and treats the existence check as the authorization decision. The identifier is enumerable; the resource carries no per-call credential. Anyone who can guess or enumerate the identifier becomes the authorized caller.