I have uploads working (using the /uploads endpoint). But the only way I can grant API-key permissions for this to work is to grant all permissions, which is an obvious security risk.
What I am asking for is an API permissions scope that includes /uploads - if it formed part of “write posts” that would be fine with me, but there might be reasons for making it a separate thing. Failing that (and probably a good idea in general), I’d like to be able to define a custom scope that includes the specific things I wish to allow.
Well, not everyone does such obvious things before posting. Sorry about that! It appears that at least one other person (who I would think knows more than I on this particular issue) expected that a scope that could create a post could also create the uploads to go with it.
Doesn’t it make sense that if a api key can create a post they could also create an upload, just like a user who can create a post can also create an upload?
Are there any situations where uploads are useful outside of a post context? As I understand it, uploads are automatically removed periodically if they are not associated with posts so making it possible to scope an API key for uploading and not creating/modifying posts doesn’t obviously seem useful.
As @pfaffman mentioned, it would seem to make more sense if the topics:write and posts:edit scopes grant access to upload if the associated user has permission to upload.
Presumably uploading a new avatar is something one might make use of with the users:update API scope. (Which isn’t currently possible?)
With more varied and potential future avenues where uploads might be used, it probably does make sense to create a separate scope and put the onus on the user to choose the appropriate scoping. It’s clear for users when an API key will/won’t be able to upload and avoids potentially missing situations where uploads could be used if/when extending the APIs.