Basic group members effectively have a read-only view of everything. All approved members, fittings, and doctrines are visible but cannot be modified in any way. Members can, however, create fleets within the group.
The Fleet-Up API has various levels of permissions that controlls what data can be accessed. The below explains the main areas of concern.
Tip: A permissions failure will almost always return an HTTP 403 status plus a JSON document with a message and code.
Fleet-Up API keys are always generated for a specific app. This means that a key generated for one app cannot be used by another. When an app is registered on Fleet-Up the developer specifies which permissions and data access they require. These permissions are immutable and are shown to users that wish to create keys for the app. So, users will understand what an app can and cannot do through the API using their key.
|Permision Area||Available Options|
|My Group Memberships||Read-only Access|
|Groups||Read & Write Access|
|Fittings||Read & Write Access|
|Doctrines||Read & Write Access|
|Timers||Read & Write Access|
|Operations||Read & Write Access|
|Fleet History||Read-only Access|
|Flyable Information||Read-only Access|
|Certificates||Read & Write Access|
|Shopping Lists||Read & Write Access|
Fleet-Up already supports permissions at a group level that control what group members are able to do. At the most basic "Member" level users mostly get a read-only view of data on Fleet-Up. Whereas as a "GroupManager" a user can perform almost any task under a specific group. When using the Fleet-Up API these permissions remain in place. Therefore a user can only perform an operation through their API key that they would be able to perform through the UI.
Members with a rank of 'Contributor' have the same abilities as above but may also import, edit, and delete fittings. Contributors may only edit and delete fittings which they added.
Members with a rank of 'Fitting Manager' have the same abilities as above but may also import, edit, and delete their own or any other member's fittings. Fitting Managers can help check and audit uploaded fittings as well as add their own for the benefit of the group.
Members with a rank of 'Doctrine Manager' have the same abilities as above but may also create, edit, and delete any doctrines. Doctrine Managers are able to define and update doctrines for the benefit of other group members. In addition to this, Doctrine Managers have the ability to run 'Pilot Reports' against a doctrine or individual fitting that shows how many pilots can fly each ship. Doctrine Managers also have rights to create, update, and delete Certificates (skill-plans) as well as run pilot reports against them.
Members with a rank of 'Group Manager' have the same abilities as above but also have the ability to manage the group itself. Group Managers can edit the group details and settings, approve pending applications plus they can remove members or change the management level of other members. Group Managers cannot remove or edit the 'Creator/Owner'. Group Managers can see but not edit the group-sharing information.
The creator and owner of the group has all the above abilities plus they can manage all permissions as well as delete the group. The group owner can also administer the group-sharing permissions to allow information to be shared with other groups.
There is a checkbox on the members list that allows members to be defined as able to post operations and timers. Group Managers and Creator/Owners can post operations by default and can edit any other user's operation or timer. Other users can only edit their own operations.
When a user creates an API key for an app registered on Fleet-Up.com they can select a group "scope". The group scope controls which groups the API key has access to. The group scope allows a user to restrict the groups that a particular API key might access. For example if a user is a member of multiple groups on Fleet-Up they may not wish for an for one alliance to too their other groups.
There are two states for the group scope; the user may select that they API key can access all their groups or they may restrict access to one specific group. These are the only options currently available.
At a group level group managers and owners have the option to turn on an API "block". Doing so will prevent all API access to the group. The purpose of this is to allow Fleet-Up group managers the control to prevent API access to the data.
To toggle the API block visit the Groups section, click the "Edit" button against a group, and click the "API Access" tab.
Please Note: The API block does not block the "Calendar API", which allows users to sync operations to their phone or similar.