save the rights of a token when this is stored, since you should not need other information besides the token; before, these rights were send on each get request
EDIT, since the above implementation was changed:
check rights of the current user on the requested file and store them on the token
make sure that the token rights are up to date when files are requested
EDIT, since the above implementation was changed: