API: a scope with access to /uploads

I have a robot which posts to threads. Sometimes it would like to upload an image first, and include it in the post.

As far as I can see there is no API scope which gives access to /uploads so I have to give it access to everything.

Would it be reasonable (a) to define a standard scope to do this, or (b) to allow a custom scope with access to admin-defined endpoints?

3 Likes

Have you tried? I would think that a user that can post can upload.

2 Likes

Er, yes, or I wouldn’t have posted? Specifically this needs the /uploads endpoint rather than /posts, so the response is 403.

Is this any use?

1 Like

Thanks, but not really.

I have uploads working (using the /uploads endpoint). But the only way I can grant API-key permissions for this to work is to grant all permissions, which is an obvious security risk.

What I am asking for is an API permissions scope that includes /uploads - if it formed part of “write posts” that would be fine with me, but there might be reasons for making it a separate thing. Failing that (and probably a good idea in general), I’d like to be able to define a custom scope that includes the specific things I wish to allow.

2 Likes

Having a scope for creating uploads sounds like a good idea to me, certainly #pr-welcome. The relevant change would be around here:

Plus a new translation string here.

I think this would make most sense as "uploads": "create"

@RogerBW are you willing/able to make a PR here? If so, please do go ahead, and then post the link in this topic.

5 Likes

Well, not everyone does such obvious things before posting. Sorry about that! It appears that at least one other person (who I would think knows more than I on this particular issue) expected that a scope that could create a post could also create the uploads to go with it.

Doesn’t it make sense that if a api key can create a post they could also create an upload, just like a user who can create a post can also create an upload?

2 Likes

Are there any situations where uploads are useful outside of a post context? As I understand it, uploads are automatically removed periodically if they are not associated with posts so making it possible to scope an API key for uploading and not creating/modifying posts doesn’t obviously seem useful.

As @pfaffman mentioned, it would seem to make more sense if the topics:write and posts:edit scopes grant access to upload if the associated user has permission to upload.

1 Like

Ya, I’m pretty sure avatars use the same uploads route, but aren’t attached to posts.

5 Likes

Presumably uploading a new avatar is something one might make use of with the users:update API scope. (Which isn’t currently possible?)

With more varied and potential future avenues where uploads might be used, it probably does make sense to create a separate scope and put the onus on the user to choose the appropriate scoping. It’s clear for users when an API key will/won’t be able to upload and avoids potentially missing situations where uploads could be used if/when extending the APIs.

1 Like

Done. It will need testing and such but here at least is a baseline.

I used a separate scope, for the reasons described - I can certainly see that I might want to allow posts but not uploads.

5 Likes

Thanks! I added a review in GitHub.

4 Likes