401 should be returned if authentication is missing, and if the same request with the right authentication added would succeed.

403 should be returned if this request, issued by this requester, an never succeed.

Note that neither situation should give any other information to the requester. So if I am looking for a non-existing resource inside a folder that I cannot access, 401/403 should be returned and not an error that the resource is missing.

401 should be returned if authentication is missing, and if the same request with the right authentication added would succeed.

403 should be returned if this request, issued by this requester, can never succeed.

Note that neither situation should give any other information to the requester. So if I am looking for a non-existing resource inside a folder that I cannot access, 401/403 should be returned and not an error that the resource is missing.