Add user access control via token capabilities
Add a capabilities header to authentication tokens so per-token access can be restricted at a basic level. This header should be called cpb
or cap
or perms
or something similar.
The capabilities should be:
-
read
: allow read access to all resources that the account can access (except account information) -
write
: allow write access to all resources that the account can access (except uploading files and account information) -
upload
: allow uploading files as the authenticated user -
upload_anonymous
: allow uploading files anonymously -
account_read
: allow reading account information -
account_write
: allow updating account information (includes generating new tokens)