• Brian Palmer's avatar
    allow for API calls with no auth · 972a65e4
    Brian Palmer authored
    This introduces the idea of a public API endpoint, one that doesn't need
    an access token or a logged in user session. There aren't yet any
    endpoints like this, but there are plans to add some so this lays the
    groundwork.
    
    I also cleaned up the permissions checks on some of the existing
    endpoints, so that you'll get a 401 and sane error response rather than
    a 500 error or empty data now that you can hit them when not logged in.
    
    Also standardized the unauthorized json response. It's now more uniform
    in structure, and differentiates between not authenticated and not
    authorized. (403 might be more appropriate here, but i'm not going there now)
    
    closes CNVS-4856
    
    test plan: there's not yet an api endpoint you can successfully use
    without authentication, but you can hit some of the modified endpoints
    such as /users/self/groups or /courses/X/tabs without authentication and
    verify that you get a 401 response with a relevant json error message.
    
    Change-Id: I63b12628e95b7e2d9aa06c311078bc8a5170dad4
    Reviewed-on: https://gerrit.instructure.com/19008
    
    Tested-by: default avatarJenkins <jenkins@instructure.com>
    Reviewed-by: default avatarCody Cutrer <cody@instructure.com>
    QA-Review: Clare Hetherington <clare@instructure.com>
    Product-Review: Brian Palmer <brianp@instructure.com>
    972a65e4