ppy
API scope requirement for chat announcement seems wrong
you need only chat.write_manage, which requests to "Join and leave channels on your behalf."
but posting a chat announcement includes sending the actual message too. I think it should require both chat.write and chat.write_manage.
This is a weird one.
The other functionality of this endpoint is for joining PM channel despite the function being called "store". It doesn't even actually create the channel in that case.
Neither chat.write nor chat.write_manage say anything about creating channel but if anything, just chat.write_manage is the closest thing if we're to update the description of it being creating the channel (including everything that's required for it). I think the first message of announcement channel is kind of special anyway in sense it's part of the channel's identity.
I guess I don't have a strong opinion on exactly which scopes should be required then, but yes the text on the authorize page needs to be clarified in some way. currently, it does not sound like you're authorizing to create announcements
oh, and I think user group privileges aren't available for oauth by default...?
oh, and I think user group privileges aren't available for oauth by default...?
except announce group, yes (User::isChatAnnouncer)
properly requesting to use certain group permissions over api is something I wanted to try as a prereq to #7441, but it would also be appropriate here. I wanted to do something like "Use your group privileges to [create a chat announcement]", which would allow the api client to perform all of the group checks within checkChatAnnounce, but nowhere else