While working on ticket #25656, I noticed a similar behavior in the admin changelist view.
Currently, if a user has no change or no view permission for a model and directly accesses the changelist URL, Django returns a 403 Forbidden page.
This seems similar to the recent actions issue #25656, where users could reach admin URLs without the required permissions and received a 403 page instead of being redirected back to the admin index. Or #2856 where recent actions would link to 404 when obj is deleted.
The difference is that in this case there is no direct UI navigation path to the changelist page for users without permissions; it only happens when manually entering the URL or (being on the page and refreshing after permissions were changed).
Would this behavior be considered worth changing for consistency, or is the current behavior acceptable because the page is not normally reachable through the admin UI?