Comment 0 for bug 1212205

maasserver.api.get_file_by_name is used to define a couple of API operations: AnonFilesHandler.get_by_name and FilesHandler.get_by_name. However, it does not verify ownership of the file, thus allowing anyone to download any file. FileHandler.read is an example of what should be done.

get_file_by_key may be similarly vulnerable.