Creating a playlist does not require scope=playlist-modify-private

0
votes

I inadvertently set scope=user-read-private for my application and found out that it is still possible to create playlists and add tracks to them. I would have expected a 'not authorised' response.

There are 2 scopes which I would have expected to control this access playlist-modify-public playlist-modify-private

They do not appear to be redundant.

Has anyone else able to confirm this behaviour?

Edit: It appears that the scope that you request for the application is only checked to be a part of the existing total scope already requested for the application. If you reduce the requested scope it does not reduce the total scope and thus pre-exiting parts are still present.

1
spotify
I can not confirm the behaviour by trying with developer console on developer.spotify.com/web-api/console/post-playlists and setting only scope=user-read-private. I get 403 "Insufficient client scope". This feels more like an issue to bring up in github.com/spotify/web-api than here. - jooon

1 Answers

1
votes

It's enough to have the playlist-modify-public scope, you just can't create private playlists. Read more about the public, private and collaborative model on our Developer site.