403 page is rendered but 404 is the response
Right now if we call authorize_#{action} in any of the project controllers, it will go through Projects::ApplicationController#authorize_action! which in turn calls ApplicationController#access_denied! if the current_user is unable to perform a certain action.
If we look at the source of access_denied we are currently rendering the access_denied view, which shows the 403 message. But in reality, since access_denied! is getting called without a message being provided, the real status returned will be 404.
So to summarize, when the 403 page is getting returned, the actual HTTP response is a 404