Comment 14 for bug 1321080

@Gordon, so I have a couple question for the impact description draft.

From the bug description, it appears that the leaked "request.HTTP_X_AUTH_TOKEN: 4724" is not the same than the one provided in the curl command "-H 'X-Auth-Token: 258ab"
So is the leak the token of the user requesting the notifier, or is it the admin_token defined in [filter:authtoken] configuration ?

The conditions for this leak to happen is when the notifier middleware is set after authtoken, which is not by default right ?