Permission or Bad EndPoint?

Jump to solution
JackThor
Community Member
‎07-16-2024 11:21 AM

Hello,

I am a programmer recently assigned to support canvas and I am using Post Man to test out the API and I am encountering an issue with the search all API endpoint. The end point I am using is this, /api/v1/search/all_courses?public_only=1&per_page=100 and I am getting a unauthorized error, 

{
    "status": "unauthorized",
    "errors": [
        {
            "message": "user not authorized to perform that action"
        }
    ]
}
 
any ideas on what the issue can be? I talked to my Admin and they said they don't see any API specific permission. So I was wondering am I calling the API end point incorrectly? Or do I need elevated permission unrelated to the API? The reason I am thinking this is because while I was playing with the API end point for courses setting there were some courses that I could not get or update. 
 
Any help, or direction would be appreciated.  

 

0 Likes
1 Solution

Jump to solution
DecoyLex
Community Participant
‎07-16-2024 04:28 PM

What happens if you go to https://[your canvas ur]l/search/all_courses/?

The List all courses API will show this error if the public course index is disabled: https://github.com/instructure/canvas-lms/blob/0045d19ea8f237443c560beb6aa6a1cd38bb4831/app/controll.... That is to say, your admin would need to enable the setting titled, "Show a searchable list of courses in this root account with the 'Include this course in the public course index' flag enabled."

As for whether you're using the API correctly, this API also only lists the courses that specifically opt in to showing up on that public course index. If you're looking for an API to search all courses, that'd be in the Accounts API: https://canvas.instructure.com/doc/api/accounts.html#method.accounts.courses_api. To get all courses in the Canvas instance, you'd use the /api/v1/accounts/self/courses endpoint. If your intention is only to show the courses that are in the public course index, you're using the right endpoint.

More generally, I'm assuming you're using a personal access token (i.e., you went to your user settings and clicked + New Access Token), your API access will match the access of the person who generated the access token (likely your own). If you're using a developer key with an OAuth2 authorization flow, your access will match that of whomever clicked the authorize button when launching the app. If the developer key has scopes enabled, your access is the cross-section of the user's permissions and the scopes for which the access token is allowed.

I hope this helps!

View solution in original post

1 person found this solution to be helpful.