Unfortunetely i have made a mistake in creating the url for access a piwik table from outside:
As you can see, after the token_auth i have one (1) space.
Funny now, becuase this user has NO access, but can see the result!
If the url is given in correct format (no space between token_auth and the =, the access is forbidden (as it should):
You can't access this resource as it requires a 'view' access for the website id = 1.
But further funny, if there are 2 spaces (1 BEFORE the = and 1 after like: token_auth%20=%20ecb47dbe1601a91c668653bfd2c05d3b
access is allowed!
This seems to me as a heavy bug.
Unable to reproduce. Please check that the anonymous user doesn't have View access.