add release note

Author: stevenwinship

doc/release-notes/11740-api-file-download-with-bearer-token.md

@@ -0,0 +1,7 @@
+## Bug / Not Bug in Dataverse. Bug is in SPA Frontend
+
+Cleaned up Access APIs to localize getting user from session for JSF backward compatibility
+
+This bug requires a front end fix to send the Bearer Token in the API call.
+
+See: #11740

src/main/java/edu/harvard/iq/dataverse/api/Access.java

@@ -189,7 +189,7 @@ public BundleDownloadInstance datafileBundle(@Context ContainerRequestContext cr
 
         if (gbrecs != true && df.isReleased()){
             // Write Guestbook record if not done previously and file is released
-            gbr = guestbookResponseService.initAPIGuestbookResponse(df.getOwner(), df, session, getUser(crc));
+            gbr = guestbookResponseService.initAPIGuestbookResponse(df.getOwner(), df, session, getRequestor(crc));
             guestbookResponseService.save(gbr);
             MakeDataCountEntry entry = new MakeDataCountEntry(uriInfo, headers, dvRequestService, df);
             mdcLogService.logEntry(entry);
@@ -285,7 +285,7 @@ public Response datafile(@Context ContainerRequestContext crc, @PathParam("fileI
 
         if (gbrecs != true && df.isReleased()){
             // Write Guestbook record if not done previously and file is released
-            gbr = guestbookResponseService.initAPIGuestbookResponse(df.getOwner(), df, session, getUser(crc));
+            gbr = guestbookResponseService.initAPIGuestbookResponse(df.getOwner(), df, session, getRequestor(crc));
         }
 
         DownloadInfo dInfo = new DownloadInfo(df);
@@ -798,7 +798,7 @@ private Response downloadDatafiles(ContainerRequestContext crc, String rawFileId
         String customZipServiceUrl = settingsService.getValueForKey(SettingsServiceBean.Key.CustomZipDownloadServiceUrl);
         boolean useCustomZipService = customZipServiceUrl != null; 
 
-        User user = getUser(crc);
+        User user = getRequestor(crc);
 
         Boolean getOrig = false;
         for (String key : uriInfo.getQueryParameters().keySet()) {
@@ -1733,12 +1733,12 @@ public Response getUserPermissionsOnFile(@Context ContainerRequestContext crc, @
     // checkAuthorization is a convenience method; it calls the boolean method
     // isAccessAuthorized(), the actual workhorse, and throws a 403 exception if not.
     private void checkAuthorization(ContainerRequestContext crc, DataFile df) throws WebApplicationException {
-        User user = getUser(crc);
+        User user = getRequestor(crc);
         if (!isAccessAuthorized(user, df)) {
             throw new ForbiddenException();
         }        
     }
-    private User getUser(ContainerRequestContext crc) {
+    private User getRequestor(ContainerRequestContext crc) {
         User user = getRequestUser(crc);
         // CompoundAuthMechanism should find the user by API Key/Token, Workflow, etc. And for SPA the Bearer Token
         // For JSF check if CompoundAuthMechanism couldn't find the user then try to get it from the session