Listing a file in another allocation does not fail but returns no output

[stewartie4]

Users should not be able to list files in an allocation they do not own.
While it is true they cannot do this, when calling zbox list, a successful response is returned with no files listed.

If the allocation does not exist an error is returned:

The issue may actually lie with the REST API rather than the CLI.

2 issues with this:

1. Returning a blank response leaks data to an attacker by letting them know that an allocation exists
2. Returning a zero exist code breaks any scripts they may be using to determine a success/failure

Steps to reproduce:
#ORIGINAL WALLET
./zbox register
./zwallet faucet --methodName pour --tokens 1.000000 --input {}
./zbox newallocation --expire 1h --size 10000 --lock 0.5
./zbox upload --allocation <> --localpath /var/folders/vy/j3qpwd9s2dvbdvd_g5dhwvf80000gn/T/HY2PDunsiH_test.txt --remotepath /HY2PDunsiH_test.txt

#NEW WALLET
./zbox register
./zbox list --allocation <> --json --remotepath /

[cnlangzi]

@stewartie4 I would suggest don't throw error on list.empty list seems better than an error for code to work. check 0chain/system_test#452 for more detail. many cases will be broken(eg zbox sync)

[stewartie4]

Say zbox is being used in a script and list is called as part of that script.
Exit codes are really important for flow and error control.
An exit code of 1 is sent for an invalid or missing allocation
So why should it be an exit code of zero for an allocation the user does not own? All that does is leak information to an unauthorised user (that the allocation exists) and tells a script that all is working as expected

Is there a middle ground for this?