Allow non-instructor API tokens to be used to fetch course data

[AmitPr]

Motivation

Allowing students, and other PL users with API tokens to access resources that they have view-access to will prove useful in any third-party integrations and students tinkering with fetching their own workload.

Currently, the only way to access upcoming coursework and other information is to scrape HTML pages, which is not only complicated (Automating SAML2 login workflow), but also doesn't provide all the information that could be returned from querying the database.

Proposal

I believe that a few small changes will allow the PrairieLearn API to correctly handle API tokens on student accounts accessing resources that they have permission to.

SQL queries from the pages/studentXXXX can be easily copied to files in the api/v1/endpoints folder, and since the API token middleware already initializes authz_data in the same way as a web-interface user's requests would, little to no changes should be required in the code.

Personally, I would appreciate if this issue was addressed, since it seems like something that should only take a few minutes to setup and test by someone who is knowledgable about the codebase. If I had more time and the ability to setup a local test environment without too much hassle, I would try to address this and submit a PR, but I simply can't allocate hours to getting setup with developing in this environment.

Thanks.

[nwalters512]

Thanks for submitting this request! We'd be happy to take a PR adding this functionality, but it's unlikely to be prioritized for now by the core devs. I suspect it'd take more than a few minutes to implement this though: there are likely some intricacies with authorization that'll need to be handled and thoroughly tested.

Re: getting set up with a local dev environment, it definitely shouldn't take hours if you opt for the "develop in Docker" approach - see https://prairielearn.readthedocs.io/en/latest/installingLocal/.