If I call the flash applets with token_auth=anonymous they are shown nevertheless anonymous do not have view permissions.
If I do the same with JSON api call access is blocked.
Additional to this it would be great if the Flash applet wouldn't return only the below if access has been denied. It's not very easy for users to understand what happened here.
Open Flash Chart JSON Parse Error [Syntax Error] Error at character 0, line 1: 0: <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1
Sorry, I should have been more clear in #790. token_auth is used for API calls; token_auth is not used for authentication in iframes or flash widgets.
In your test case, the API request for JSON formatted data failed as expected. The reason the flash widget succeeded is because you were logged in and Piwik used the authenticated login session. While the Flash widget does use JSON formatted data, the data stream contains additional information required by Open Flash Chart, and as such, it is not the same data as an API request for JSON data.
I need to be able to authenticate the flash data request with token_auth. Drupal user do not need to log into piwik website. They see all standard statistics in the reports section. I do not need to authenticate the swf file themself... only the data that is used to build the flash chart.
Here is an example URL that doesn't allow me to get the flash data: