Bug #20750
Updated by Peter Amstutz over 1 year ago
Serving files through keep web requires the scopes documented at #20249
However it would be much better if it did not require
"GET /arvados/v1/users/current"
Because that means the sharing link can be used to leak personal information about the person sharing it -- their name, email address, any profile information stored on the user record, etc.
Either the relevant keep-web (or controller) requests should not require users/current, or we should introduce a new API call which returns only the minimum information and use that.
If the primary use of the endpoint is to determine either if the token is valid, or get just the user uuid that is associated with the token, we can already do that with @api_client_authorization/current@.