Fleet-Up // API
Fleet-Up API // Permissions
The Fleet-Up API has various levels of permissions that controlls what data can be accessed. The below explains the main areas of concern.
Tip: A permissions failure will almost always return an HTTP 403 status plus a JSON document with a message and code.
App-Level Permissions
Fleet-Up API keys are always generated for a specific app. This means that a key generated for one app cannot be used by another. When an app is registered on Fleet-Up the developer specifies which permissions and data access they require. These permissions are immutable and are shown to users that wish to create keys for the app. So, users will understand what an app can and cannot do through the API using their key.
Permision Area Available Options
My Group Memberships Read-only Access
Groups Read & Write Access
Fittings Read & Write Access
Doctrines Read & Write Access
Timers Read & Write Access
Operations Read & Write Access
Fleet History Read-only Access
Flyable Information Read-only Access
Certificates Read & Write Access
Shopping Lists Read & Write Access
Group-Level Permissions
Fleet-Up already supports permissions at a group level that control what group members are able to do. At the most basic "Member" level users mostly get a read-only view of data on Fleet-Up. Whereas as a "GroupManager" a user can perform almost any task under a specific group. When using the Fleet-Up API these permissions remain in place. Therefore a user can only perform an operation through their API key that they would be able to perform through the UI.
0. Member
Basic group members effectively have a read-only view of everything. All approved members, fittings, and doctrines are visible but cannot be modified in any way. Members can, however, create fleets within the group.
I. Contributors
Members with a rank of 'Contributor' have the same abilities as above but may also import, edit, and delete fittings. Contributors may only edit and delete fittings which they added.
II. Fitting Managers
Members with a rank of 'Fitting Manager' have the same abilities as above but may also import, edit, and delete their own or any other member's fittings. Fitting Managers can help check and audit uploaded fittings as well as add their own for the benefit of the group.
III. Doctrine Managers (Certificate Managers)
Members with a rank of 'Doctrine Manager' have the same abilities as above but may also create, edit, and delete any doctrines. Doctrine Managers are able to define and update doctrines for the benefit of other group members. In addition to this, Doctrine Managers have the ability to run 'Pilot Reports' against a doctrine or individual fitting that shows how many pilots can fly each ship. Doctrine Managers also have rights to create, update, and delete Certificates (skill-plans) as well as run pilot reports against them.
IV. Group Managers
Members with a rank of 'Group Manager' have the same abilities as above but also have the ability to manage the group itself. Group Managers can edit the group details and settings, approve pending applications plus they can remove members or change the management level of other members. Group Managers cannot remove or edit the 'Creator/Owner'. Group Managers can see but not edit the group-sharing information.
V. Creator/Owner
The creator and owner of the group has all the above abilities plus they can manage all permissions as well as delete the group. The group owner can also administer the group-sharing permissions to allow information to be shared with other groups.
Post Operations
There is a checkbox on the members list that allows members to be defined as able to post operations and timers. Group Managers and Creator/Owners can post operations by default and can edit any other user's operation or timer. Other users can only edit their own operations.
API Key Group Scope
When a user creates an API key for an app registered on Fleet-Up.com they can select a group "scope". The group scope controls which groups the API key has access to. The group scope allows a user to restrict the groups that a particular API key might access. For example if a user is a member of multiple groups on Fleet-Up they may not wish for an for one alliance to too their other groups.
There are two states for the group scope; the user may select that they API key can access all their groups or they may restrict access to one specific group. These are the only options currently available.
Group-Level API Block
At a group level group managers and owners have the option to turn on an API "block". Doing so will prevent all API access to the group. The purpose of this is to allow Fleet-Up group managers the control to prevent API access to the data.
To toggle the API block visit the Groups section, click the "Edit" button against a group, and click the "API Access" tab.
Please Note: The API block does not block the "Calendar API", which allows users to sync operations to their phone or similar.