I have a robot which posts to threads. Sometimes it would like to upload an image first, and include it in the post.
As far as I can see there is no API scope which gives access to /uploads so I have to give it access to everything.
Would it be reasonable (a) to define a standard scope to do this, or (b) to allow a custom scope with access to admin-defined endpoints?
Have you tried? I would think that a user that can post can upload.
Er, yes, or I wouldn’t have posted? Specifically this needs the /uploads endpoint rather than /posts, so the response is 403.
Is this any use?
Thanks, but not really.
I have uploads working (using the /uploads endpoint). But the only way I can grant API-key permissions for this to work is to grant all permissions, which is an obvious security risk.
What I am asking for is an API permissions scope that includes /uploads - if it formed part of “write posts” that would be fine with me, but there might be reasons for making it a separate thing. Failing that (and probably a good idea in general), I’d like to be able to define a custom scope that includes the specific things I wish to allow.
Having a scope for creating uploads sounds like a good idea to me, certainly #pr-welcome. The relevant change would be around here:
Plus a new translation string here.
I think this would make most sense as "uploads": "create"
@RogerBW are you willing/able to make a PR here? If so, please do go ahead, and then post the link in this topic.
Well, not everyone does such obvious things before posting. Sorry about that! It appears that at least one other person (who I would think knows more than I on this particular issue) expected that a scope that could create a post could also create the uploads to go with it.
Doesn’t it make sense that if a api key can create a post they could also create an upload, just like a user who can create a post can also create an upload?
Are there any situations where uploads are useful outside of a post context? As I understand it, uploads are automatically removed periodically if they are not associated with posts so making it possible to scope an API key for uploading and not creating/modifying posts doesn’t obviously seem useful.
As @pfaffman mentioned, it would seem to make more sense if the topics:write and posts:edit scopes grant access to upload if the associated user has permission to upload.
Ya, I’m pretty sure avatars use the same uploads route, but aren’t attached to posts.
Presumably uploading a new avatar is something one might make use of with the users:update API scope. (Which isn’t currently possible?)
With more varied and potential future avenues where uploads might be used, it probably does make sense to create a separate scope and put the onus on the user to choose the appropriate scoping. It’s clear for users when an API key will/won’t be able to upload and avoids potentially missing situations where uploads could be used if/when extending the APIs.
Done. It will need testing and such but here at least is a baseline.
I used a separate scope, for the reasons described - I can certainly see that I might want to allow posts but not uploads.
Thanks! I added a review in GitHub.