X-Git-Url: https://git.arvados.org/arvados.git/blobdiff_plain/1fa33cf0c06e07c7f3668f994f8d0def93d5ecbd..a5cf4e0ea356a7ee06f67fe159484fe20cd8a184:/services/keep-web/handler.go

diff --git a/services/keep-web/handler.go b/services/keep-web/handler.go
index 083040b219..863b91a7e1 100644
--- a/services/keep-web/handler.go
+++ b/services/keep-web/handler.go
@@ -283,8 +283,11 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) {
 		} else {
 			// /collections/ID/PATH...
 			collectionID = parseCollectionIDFromURL(pathParts[1])
-			tokens = []string{h.Config.cluster.Users.AnonymousUserToken}
 			stripParts = 2
+			// This path is only meant to work for public
+			// data. Tokens provided with the request are
+			// ignored.
+			credentialsOK = false
 		}
 	}
 
@@ -298,6 +301,10 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) {
 		forceReload = true
 	}
 
+	if credentialsOK {
+		reqTokens = auth.CredentialsFromRequest(r).Tokens
+	}
+
 	formToken := r.FormValue("api_token")
 	if formToken != "" && r.Header.Get("Origin") != "" && attachment && r.URL.Query().Get("api_token") == "" {
 		// The client provided an explicit token in the POST
@@ -313,7 +320,7 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) {
 		//
 		// * The token isn't embedded in the URL, so we don't
 		//   need to worry about bookmarks and copy/paste.
-		tokens = append(tokens, formToken)
+		reqTokens = append(reqTokens, formToken)
 	} else if formToken != "" && browserMethod[r.Method] {
 		// The client provided an explicit token in the query
 		// string, or a form in POST body. We must put the
@@ -325,10 +332,7 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) {
 	}
 
 	if useSiteFS {
-		if tokens == nil {
-			tokens = auth.CredentialsFromRequest(r).Tokens
-		}
-		h.serveSiteFS(w, r, tokens, credentialsOK, attachment)
+		h.serveSiteFS(w, r, reqTokens, credentialsOK, attachment)
 		return
 	}
 
@@ -347,9 +351,6 @@ func (h *handler) ServeHTTP(wOrig http.ResponseWriter, r *http.Request) {
 	}
 
 	if tokens == nil {
-		if credentialsOK {
-			reqTokens = auth.CredentialsFromRequest(r).Tokens
-		}
 		tokens = append(reqTokens, h.Config.cluster.Users.AnonymousUserToken)
 	}