Tom, as I already said, I'm right with you. We do have to do permission checks before displaying any object_name in any list of objects. I totally agree that there should never be a backdoor so that users can get information that they're not permitted to get.
