Remove read privilege. Public data is now readable by everyone without having to pass an API token. Feel free to test around as much as you like!

app/start.go

@@ -39,28 +39,26 @@ func Start(conf common.Conf, dbO *sql.DB) *gin.Engine {
 			gv1.POST("/tokens/new", Method(v1.TokenNewPOST))
 			gv1.GET("/tokens/self/delete", Method(v1.TokenSelfDeleteGET))
 
-			// Auth-free API endpoints
+			// Auth-free API endpoints (public data)
 			gv1.GET("/ping", Method(v1.PingGET))
 			gv1.GET("/surprise_me", Method(v1.SurpriseMeGET))
 			gv1.GET("/privileges", Method(v1.PrivilegesGET))
 			gv1.GET("/doc", Method(v1.DocGET))
 			gv1.GET("/doc/content", Method(v1.DocContentGET))
 			gv1.GET("/doc/rules", Method(v1.DocRulesGET))
-
-			// Read privilege required
-			gv1.GET("/users", Method(v1.UsersGET, common.PrivilegeRead))
-			gv1.GET("/users/self", Method(v1.UserSelfGET, common.PrivilegeRead))
-			gv1.GET("/users/whatid", Method(v1.UserWhatsTheIDGET, common.PrivilegeRead))
-			gv1.GET("/users/full", Method(v1.UserFullGET, common.PrivilegeRead))
-			gv1.GET("/users/userpage", Method(v1.UserUserpageGET, common.PrivilegeRead))
-			gv1.GET("/users/lookup", Method(v1.UserLookupGET, common.PrivilegeRead))
-			gv1.GET("/users/scores/best", Method(v1.UserScoresBestGET, common.PrivilegeRead))
-			gv1.GET("/users/scores/recent", Method(v1.UserScoresRecentGET, common.PrivilegeRead))
-			gv1.GET("/badges", Method(v1.BadgesGET, common.PrivilegeRead))
-			gv1.GET("/beatmaps", Method(v1.BeatmapGET, common.PrivilegeRead))
-			gv1.GET("/leaderboard", Method(v1.LeaderboardGET, common.PrivilegeRead))
-			gv1.GET("/tokens", Method(v1.TokenGET, common.PrivilegeRead))
-			gv1.GET("/tokens/self", Method(v1.TokenSelfGET, common.PrivilegeRead))
+			gv1.GET("/users", Method(v1.UsersGET))
+			gv1.GET("/users/whatid", Method(v1.UserWhatsTheIDGET))
+			gv1.GET("/users/full", Method(v1.UserFullGET))
+			gv1.GET("/users/userpage", Method(v1.UserUserpageGET))
+			gv1.GET("/users/lookup", Method(v1.UserLookupGET))
+			gv1.GET("/users/scores/best", Method(v1.UserScoresBestGET))
+			gv1.GET("/users/scores/recent", Method(v1.UserScoresRecentGET))
+			gv1.GET("/badges", Method(v1.BadgesGET))
+			gv1.GET("/beatmaps", Method(v1.BeatmapGET))
+			gv1.GET("/leaderboard", Method(v1.LeaderboardGET))
+			gv1.GET("/tokens", Method(v1.TokenGET))
+			gv1.GET("/users/self", Method(v1.UserSelfGET))
+			gv1.GET("/tokens/self", Method(v1.TokenSelfGET))
 
 			// ReadConfidential privilege required
 			gv1.GET("/friends", Method(v1.FriendsGET, common.PrivilegeReadConfidential))

app/tokens.go

@@ -19,7 +19,7 @@ func GetTokenFull(token string, db *sql.DB) (common.Token, bool) {
 			&t.ID, &t.UserID, &privs, &priv8,
 		)
 	if priv8 {
-		privs = common.PrivilegeRead | common.PrivilegeReadConfidential | common.PrivilegeWrite
+		privs = common.PrivilegeReadConfidential | common.PrivilegeWrite
 	}
 	t.Privileges = common.Privileges(privs)
 	switch {

app/v1/privileges.go

@@ -26,7 +26,7 @@ func PrivilegesGET(md common.MethodData) common.CodeMessager {
 	r := privilegesData{}
 	r.Code = 200
 	// This code sucks.
-	r.Read = md.User.Privileges.HasPrivilegeRead()
+	r.Read = true
 	r.ReadConfidential = md.User.Privileges.HasPrivilegeReadConfidential()
 	r.Write = md.User.Privileges.HasPrivilegeWrite()
 	r.ManageBadges = md.User.Privileges.HasPrivilegeManageBadges()