Various API routes return 401 error with valid token

[requ1Re]

Description

While testing the API, I found out that multiple routes return missing, malformed, expired or otherwise invalid token provided errors (status code 401) even if you use valid, full-permission API tokens. For example, getting a project background (using GET /api/v1/projects/{id}/background) does always yield me this error, even on the try.vikunja.io-instance and if the project has an user-uploaded background. Another route which does not work is /api/v1/routes, for example. I think there are even more than that.

There was a similar issue, but that has since been closed as completed: #105

Vikunja Version

v0.23.0

Browser and version

n/a

Can you reproduce the bug on the Vikunja demo site?

Yes

Screenshots

[kolaente]

/routes is not supposed to work, as there is no permission for it. The route is only really used for the form in the frontend when creating a token.

Should the project background be a separate permission or an existing one like project read?

[requ1Re]

It should probably be part of the project read permission. I would've guessed API keys with "full permissions" (aka. all permission checkboxes checked) would have access to everything anyways.

I think there was another route (not /routes) which had the same error, I am not sure which it was though.

[kolaente]

Now fixed in 99a67e0. There are now new permissions for all routes, except user settings. Please check with the next unstable build (should be ready for deployment in ~45min, also on try).