Please note: All new registrants to the Panopto Community Forum must be approved by a forum moderator or admin. As such, if you navigate to a feature that is members-only, you may receive an error page if your registration has not yet been approved. We apologize for any inconvenience and are approving new members as quickly as possible.
Limiting API to "Read Only" access
Ethan Walgran Tyro
We are working on a broad data retention project where we need to generate an API Client that only has "Read-only" or rather "Get" access. The basic goal is to provide the developer the ability to create a script to access the system and simply retrieve content. We do not want to provide the developer the ability to "Put" and/or "Delete" any content. What would be the best manner to achieve this?
That's currently unsupported in the REST API at the client level -- we don't have a way in the client to block calling APIs based on their role within CRUD (https://en.wikipedia.org/wiki/Create,_read,_update_and_delete).
What we do have is user role checks upon an attempt to exercise an API whose effect is unauthorized for the user. If the developer doesn't have permission within the Panopto system generally to perform an action, then they won't be able to do so with the REST API either and the API should fail with an error message to that effect. This should accomplish your goals so long as the developers have only read access on the resources in question. If you find upon testing that this is not the case for any of your retention workflows, the next step would be to open a support ticket.
It could be interesting to have scopes at the client level which make this contract explicit. I've added a note to our feature request backlog to capture the idea.