Community help

pnts-se · ‎06-25-2023

What are the correct permissions to add to an account role in order to create,read,update,delete in (all) course calendars using Canvas REST API? If I change the Bearer token to one that belongs to an account admin, the API call works.

I've created an account role and added these permissions:

Course Calendar - add / edit / delete.
Manage Assignments and Quizzes
add / delete / edit.
There seems to be more, hidden, permission dependencies because I get:

{
"status": "unauthorized",
"errors": [
{
"message": "user not authorized to perform that action"
}
]
}

chriscas · ‎06-26-2023

Hi @pnts-se,

Thanks for the added context. I'm not sure exactly what you're trying to sync from external sources, but you might want to look at using account calendars instead of syncing things to individual course calendars (which could have long-term unintended consequences making import/export for future years more difficult). If you use account calendars starting on July 15, you'll be able to subscribe users to those account calendars by default.

-Chris

View solution in original post

pnts-se · ‎06-26-2023

I will always be operating on an explicit course, using http query param context_codes[]. Reviewing canvas-lms/app/controllers/calendar_events_api_controller.rb it seems the permissions added in Canvas LMS UI above will work IF the user has access to the given context_codes. I want to override this to work on all context_codes, but have the access token be scoped to CRUD operations on calendar_events.

Perhaps it works when being an account admin because it's hard-coded on the role name?

@IS_admin = user.roles(@domain_root_account).include?("admin") # if we're an admin - don't try to figure out which sections we belong to; just include all of them

chriscas · ‎06-26-2023

Hi @pnts-se,

As far as I know, the behavior you're seeing is by design. If the account used to generate your API token doesn't have access to a certain course (wither through being enrolled directly in the course, or being an admin or the account/subaccount the course belongs to), you should receive an access denied message. I don't think there is a way around this, as it would really be a security/permissions flaw if there was. If you want to be able to modify anything in an instance, you'd been to have a token from an admin role user in the root account.

I'd also like to point out for you or others who might happen upon this thread later that the above applies for course contexts. If you're trying to modify other calendar contexts like user or groups, you'd need other admin permissions set too.

Could you perhaps explain what you're trying to do with a bit more detail so someone might be able to offer some additional advice around this for you? I know you're trying to modify calendars, but what is the end goal/purpose for doing this? Are you developing an external app, or are you an admin trying to clean things up in your Canvas instance or something? Modifying calendars in bulk seems a but unusual to me as an admin, that's why I'm asking just to provide some context for myself and others here.

-Chris

pnts-se · ‎06-26-2023

@chriscasThank you for your reply.

It's for syncing an external calendar into Canvas. The purpose is to reduce students dependencies on multiple services. They should be able to view their full calendar in Canvas.

I think I've settled on a functional account, added to courses that want to sync their calendars. The account is added using a user role, only allowed to do CRUD operations on the course calendar. Then I can use an access token from that user to sync calendar events.

Would be glad to hear any suggestions or thoughts you might have!

chriscas · ‎06-26-2023

Hi @pnts-se,

Thanks for the added context. I'm not sure exactly what you're trying to sync from external sources, but you might want to look at using account calendars instead of syncing things to individual course calendars (which could have long-term unintended consequences making import/export for future years more difficult). If you use account calendars starting on July 15, you'll be able to subscribe users to those account calendars by default.

-Chris

Account role permissions for managing course calendars

Canvas

Is it posible to get the self_enrollment_code trou...

Display LTI content in pages from Editor LTI Place...

Media Plugin for Canvas LMS

Is there a way to customize the format and structu...

Search API - return Courses with include[] data ?

UI for weekly progression idea

Is the ‘Enable self assessment’ field available in...

Canvas Rubrics API Criteria

api/v1/courses/sis_course_id:{id#}/sections - Not ...

add `desc` or `asc` to a few api calls that are al...

You're signed out

Account role permissions for managing course calendars

Community help

View our top guides and resources: