Inaccessible rooms can leak existance through some 403 (instead of 404) responses

[jagerman]

(Report received out-of-band from a user unwilling to use Github):

From the docs (and our intention):

404 Not Found — Returned if the room does not exist, or is configured as inaccessible (and this user doesn't have access)."

And to a larger extent, the return of a 404 when actions are performed on rooms with all permissions disabled.

From a cursory check, it seems that both a manual "accessible" check and an @auth.accessible_required decorator are missing from several routes in rooms.py, messages.py and views.py, potentially allowing a user to scan for existing room names.

The web viewer, for instance, returns 403 instead of 404 for an inaccessible room.