-
Brian Palmer authored
This introduces the idea of a public API endpoint, one that doesn't need an access token or a logged in user session. There aren't yet any endpoints like this, but there are plans to add some so this lays the groundwork. I also cleaned up the permissions checks on some of the existing endpoints, so that you'll get a 401 and sane error response rather than a 500 error or empty data now that you can hit them when not logged in. Also standardized the unauthorized json response. It's now more uniform in structure, and differentiates between not authenticated and not authorized. (403 might be more appropriate here, but i'm not going there now) closes CNVS-4856 test plan: there's not yet an api endpoint you can successfully use without authentication, but you can hit some of the modified endpoints such as /users/self/groups or /courses/X/tabs without authentication and verify that you get a 401 response with a relevant json error message. Change-Id: I63b12628e95b7e2d9aa06c311078bc8a5170dad4 Reviewed-on: https://gerrit.instructure.com/19008 Tested-by: Jenkins <jenkins@instructure.com> Reviewed-by: Cody Cutrer <cody@instructure.com> QA-Review: Clare Hetherington <clare@instructure.com> Product-Review: Brian Palmer <brianp@instructure.com>
972a65e4