+1 to this issue. I believe this is a bug with the API. It’s caused a lot of grief when trying to be more secure and scope tokens to a single zone. When performing a GET on the
/zones endpoint, if an account has
Zones - Zones - Read permissions, the endpoint should filter all zones found in the lookup by all the zones my token has access to.
Example: Assume my account has
bim.com. Assume my generated token has included zones
/zones - should return records for
/zones?name=foo.com - should return records for
/zones?name=bim.com - should return no results, NOT an error (since the token does have valid permissions; it just didn’t find any matching records within the token’s included zones)