If I construct a component URL for a contact that is not accessible to public, I can access that contact when logged in.

For example, for contact ID=169 and alias=bob2
http://[...]/component/contact/contact/169-bob2

If I then log out and try to access the same page I get an exception thrown, when I would expect "access denied" or an instruction to log in.

exception 'Exception' with message 'Contact not found' in [...]/components/com_contact/models/contact.php:330 Stack trace: #0 [...]/components/com_contact/models/contact.php(254): ContactModelContact->getContactQuery(169) #1 [...]/libraries/legacy/view/legacy.php(401): ContactModelContact->getItem() #2 [...]/components/com_contact/views/contact/view.html.php(66): JViewLegacy->get('Item') #3 [...]/libraries/legacy/controller/legacy.php(690): ContactViewContact->display() #4 [...]/components/com_contact/controller.php(42): JControllerLegacy->display(true, Array) #5 [...]/libraries/legacy/controller/legacy.php(728): ContactController->display() #6 [...]/components/com_contact/contact.php(15): JControllerLegacy->execute(NULL) #7 [...]/libraries/cms/component/helper.php(392): require_once('/var/www/prayer...') #8 [...]/libraries/cms/component/helper.php(372): JComponentHelper::executeComponent('/var/www/prayer...') #9 [...]/libraries/cms/application/site.php(191): JComponentHelper::renderComponent('com_contact') #10 [...]/libraries/cms/application/site.php(230): JApplicationSite->dispatch() #11 [...]/libraries/cms/application/cms.php(252): JApplicationSite->doExecute() #12 [...]/index.php(45): JApplicationCms->execute() #13 {main}