We recently forgot to add the necessary permissions for a user, whereupon something interesting happened:

A call to mongo::DBClientBase::query() returned with a DBClientCursor, as expected, but the following code then failed because one of our field check reported a missing field that was expected in the BSONObj we expected after getting the first object.
Pseudocode:

while(mongoCursor->more())
{
  mongo::BSONObj o = mongoCursor->next();
  OurObject result;
  BsonToObject(o, result);
}

Looking into it we finally discovered that the BSONObj returned by mongoCursor->next() was not one from the collection in question, but an Error Object:

{ $err: "not authorized for query on commDB.devicedata", code: 13 }

getLastError() did not return anything, though - and we wonder now why there was no exception thrown, as it's impossible to detect the error state and avoid attempting the conversion, it seems.