I found a discrepancy between two functions that deal with security tokens:
in BasicSecurityTokenDecoder::createToken, an empty token is rejected only
if $_GET['authz'] is not empty, i.e. I may use a gadget without a security
token, as long as there is no authz:
if (empty($stringToken) && ! empty($_GET['authz'])) {
throw new GadgetException('INVALID_GADGET_TOKEN');
}
but in GadgetDataServlet::createResponse, an empty token is always rejected:
if (empty($token)) {
throw new Exception("INVALID_GADGET_TOKEN");
}
Is this a bug or a feature?
