It turns out we were lazy about a lot of permissions in the API since we had a small set of users and nobody with view permissions didn't also have annotate. Now that we are enabling public access, that's a problem! This makes sure we're checking appropriate permissions in all the API controllers and actions.
This also does a little work to differentiate requests with no credentials and invalid credentials, which is important now that we are enabling public view access (no credentials is OK, invalid credentials is obviously an error, but needs an API-style response rather than the default authentication error handling). Devise doesn't provide anything that differentiates those, so we have to drop down to check some Warden data.
It turns out we were lazy about a lot of permissions in the API since we had a small set of users and nobody with
viewpermissions didn't also haveannotate. Now that we are enabling public access, that's a problem! This makes sure we're checking appropriate permissions in all the API controllers and actions.This also does a little work to differentiate requests with no credentials and invalid credentials, which is important now that we are enabling public view access (no credentials is OK, invalid credentials is obviously an error, but needs an API-style response rather than the default authentication error handling). Devise doesn't provide anything that differentiates those, so we have to drop down to check some Warden data.
Found as part of auditing API access and options in https://github.com/edgi-govdata-archiving/web-monitoring-db/issues/1070.