Remove read privilege. Public data is now readable by everyone without having to pass an API token. Feel free to test around as much as you like!

app/start.go

@@ -39,28 +39,26 @@ func Start(conf common.Conf, dbO *sql.DB) *gin.Engine {
 			gv1.POST("/tokens/new", Method(v1.TokenNewPOST))
 			gv1.GET("/tokens/self/delete", Method(v1.TokenSelfDeleteGET))
 
-			// Auth-free API endpoints
+			// Auth-free API endpoints (public data)
 			gv1.GET("/ping", Method(v1.PingGET))
 			gv1.GET("/surprise_me", Method(v1.SurpriseMeGET))
 			gv1.GET("/privileges", Method(v1.PrivilegesGET))
 			gv1.GET("/doc", Method(v1.DocGET))
 			gv1.GET("/doc/content", Method(v1.DocContentGET))
 			gv1.GET("/doc/rules", Method(v1.DocRulesGET))
-
-			// Read privilege required
-			gv1.GET("/users", Method(v1.UsersGET, common.PrivilegeRead))
-			gv1.GET("/users/self", Method(v1.UserSelfGET, common.PrivilegeRead))
-			gv1.GET("/users/whatid", Method(v1.UserWhatsTheIDGET, common.PrivilegeRead))
-			gv1.GET("/users/full", Method(v1.UserFullGET, common.PrivilegeRead))
-			gv1.GET("/users/userpage", Method(v1.UserUserpageGET, common.PrivilegeRead))
-			gv1.GET("/users/lookup", Method(v1.UserLookupGET, common.PrivilegeRead))
-			gv1.GET("/users/scores/best", Method(v1.UserScoresBestGET, common.PrivilegeRead))
-			gv1.GET("/users/scores/recent", Method(v1.UserScoresRecentGET, common.PrivilegeRead))
-			gv1.GET("/badges", Method(v1.BadgesGET, common.PrivilegeRead))
-			gv1.GET("/beatmaps", Method(v1.BeatmapGET, common.PrivilegeRead))
-			gv1.GET("/leaderboard", Method(v1.LeaderboardGET, common.PrivilegeRead))
-			gv1.GET("/tokens", Method(v1.TokenGET, common.PrivilegeRead))
-			gv1.GET("/tokens/self", Method(v1.TokenSelfGET, common.PrivilegeRead))
+			gv1.GET("/users", Method(v1.UsersGET))
+			gv1.GET("/users/whatid", Method(v1.UserWhatsTheIDGET))
+			gv1.GET("/users/full", Method(v1.UserFullGET))
+			gv1.GET("/users/userpage", Method(v1.UserUserpageGET))
+			gv1.GET("/users/lookup", Method(v1.UserLookupGET))
+			gv1.GET("/users/scores/best", Method(v1.UserScoresBestGET))
+			gv1.GET("/users/scores/recent", Method(v1.UserScoresRecentGET))
+			gv1.GET("/badges", Method(v1.BadgesGET))
+			gv1.GET("/beatmaps", Method(v1.BeatmapGET))
+			gv1.GET("/leaderboard", Method(v1.LeaderboardGET))
+			gv1.GET("/tokens", Method(v1.TokenGET))
+			gv1.GET("/users/self", Method(v1.UserSelfGET))
+			gv1.GET("/tokens/self", Method(v1.TokenSelfGET))
 
 			// ReadConfidential privilege required
 			gv1.GET("/friends", Method(v1.FriendsGET, common.PrivilegeReadConfidential))

app/tokens.go

@@ -19,7 +19,7 @@ func GetTokenFull(token string, db *sql.DB) (common.Token, bool) {
 			&t.ID, &t.UserID, &privs, &priv8,
 		)
 	if priv8 {
-		privs = common.PrivilegeRead | common.PrivilegeReadConfidential | common.PrivilegeWrite
+		privs = common.PrivilegeReadConfidential | common.PrivilegeWrite
 	}
 	t.Privileges = common.Privileges(privs)
 	switch {

app/v1/privileges.go

@@ -26,7 +26,7 @@ func PrivilegesGET(md common.MethodData) common.CodeMessager {
 	r := privilegesData{}
 	r.Code = 200
 	// This code sucks.
-	r.Read = md.User.Privileges.HasPrivilegeRead()
+	r.Read = true
 	r.ReadConfidential = md.User.Privileges.HasPrivilegeReadConfidential()
 	r.Write = md.User.Privileges.HasPrivilegeWrite()
 	r.ManageBadges = md.User.Privileges.HasPrivilegeManageBadges()

common/privileges.go

@@ -4,7 +4,7 @@ import "strings"
 
 // These are the various privileges a token can have.
 const (
-	PrivilegeRead             = 1 << iota // pretty much public data: leaderboard, scores, user profiles (without confidential stuff like email)
+	PrivilegeRead             = 1 << iota // used to be to fetch public data, such as user information etc. this is deprecated.
 	PrivilegeReadConfidential             // (eventual) private messages, reports... of self
 	PrivilegeWrite                        // change user information, write into confidential stuff...
 	PrivilegeManageBadges                 // can change various users' badges.
@@ -22,11 +22,6 @@ const (
 // Privileges is a bitwise enum of the privileges of an user's API key.
 type Privileges uint64
 
-// HasPrivilegeRead returns whether the Read privilege is included in the privileges.
-func (p Privileges) HasPrivilegeRead() bool {
-	return p&PrivilegeRead != 0
-}
-
 // HasPrivilegeReadConfidential returns whether the ReadConfidential privilege is included in the privileges.
 func (p Privileges) HasPrivilegeReadConfidential() bool {
 	return p&PrivilegeReadConfidential != 0
@@ -114,7 +109,7 @@ func (p Privileges) String() string {
 }
 
 var privilegeMustBe = [...]int{
-	UserPrivilegeNormal,
+	1 << 30, // read is deprecated, and should be given out to no-one.
 	UserPrivilegeNormal,
 	UserPrivilegeNormal,
 	AdminPrivilegeAccessRAP | AdminPrivilegeManageBadges,