feat: restrict certain endpoints from API tokens and/or read-only tokens

backend/routes/user/delete_user.go

@@ -12,8 +12,8 @@ func (s *Server) deleteUser(w http.ResponseWriter, r *http.Request) error {
 	ctx := r.Context()
 	claims, _ := server.ClaimsFromContext(ctx)
 
-	if claims.APIToken || !claims.TokenWrite {
-		return server.APIError{Code: server.ErrMissingPermissions}
+	if claims.APIToken {
+		return server.APIError{Code: server.ErrMissingPermissions, Details: "This endpoint cannot be used by API tokens"}
 	}
 
 	tx, err := s.DB.Begin(ctx)

backend/routes/user/export.go

@@ -14,6 +14,10 @@ func (s *Server) startExport(w http.ResponseWriter, r *http.Request) error {
 	ctx := r.Context()
 	claims, _ := server.ClaimsFromContext(ctx)
 
+	if claims.APIToken {
+		return server.APIError{Code: server.ErrMissingPermissions, Details: "This endpoint cannot be used by API tokens"}
+	}
+
 	hasExport, err := s.DB.HasRecentExport(ctx, claims.UserID)
 	if err != nil {
 		log.Errorf("checking if user has recent export: %v", err)
@@ -56,6 +60,10 @@ func (s *Server) getExport(w http.ResponseWriter, r *http.Request) error {
 	ctx := r.Context()
 	claims, _ := server.ClaimsFromContext(ctx)
 
+	if claims.APIToken {
+		return server.APIError{Code: server.ErrMissingPermissions, Details: "This endpoint cannot be used by API tokens"}
+	}
+
 	de, err := s.DB.UserExport(ctx, claims.UserID)
 	if err != nil {
 		if err == db.ErrNoExport {

backend/routes/user/patch_user.go

@@ -28,6 +28,10 @@ func (s *Server) patchUser(w http.ResponseWriter, r *http.Request) error {
 
 	claims, _ := server.ClaimsFromContext(ctx)
 
+	if !claims.TokenWrite {
+		return server.APIError{Code: server.ErrMissingPermissions, Details: "This token is read-only"}
+	}
+
 	var req PatchUserRequest
 	err := render.Decode(r, &req)
 	if err != nil {