I’d say a verbose setting could take care of that.
For
Intranet applications I’d like the user to know what view they don’t have rights to (it could just show the caption).
For general public web apps, I’d like a redirect or ‘nothing’ or close the session, but the error with details in the logs.
So in the end it is about what we display, not what information is available at the time or raising the error.