Bug #8079

Updated by Tom Clegg almost 6 years ago

This is more consistent with other objects, and makes it possible to specify an API token without revealing its secret content. For example, "arv edit {uuid}" can be used by an admin to change a token's scope.

Ensure it is not possible to retrieve an API token by looking up its UUID. Currently the filters behavior is altered such that @["uuid","=",api_token]@ looks up a token. This should change such that
* @list?filters=[["uuid","=",X]]@ and @get?uuid=X@ return the auth record with UUID X only if token X's API token is the current API token
* @list?filters=[["api_token","=",T]]@ returns the auth record with the given api_token, but only if it belongs to the current user

Back