Goodreads Developers discussion
bugs
>
Listing shelf privacy issue
date
newest »
newest »
You need to use oauth. Attaching the key (like you're doing) is for unauthenticated (similar to signed out) requests.see: https://www.goodreads.com/api/documen...
Thank you for your reply Michael.I am using oauth.
When I change the url to
https://www.goodreads.com/review/list... (without the key) I get a 401 response Invalid API key.
When I submit the key and try to list a user's with the privacy set to "Goodreads Members" I get a 403 response.
I originally included the key in the url because your documentation says the key is required:
https://www.goodreads.com/api#reviews...
I am testing this in both Python and Postman, getting the same results on both.
On python I'm using rauth https://github.com/litl/rauth but I'm also getting the same results testing with the chrome extension Postman.
Sure.I already have the access token and the token secret when I did the oauth authorization. I replaced my key with xxxxx.
new_session = OAuth1Session(
consumer_key=key,
consumer_secret=secret,
access_token=oauth_token,
access_token_secret=oauth_secret
)
return new_session.get('https://www.goodreads.com/review/list...')
I did this based on your Python example.
https://www.goodreads.com/api/oauth_e...
you need to do all this stuff (from rauth docs):Then get an OAuth 1.0 request token:
request_token, request_token_secret = twitter.get_request_token()
Go through the authentication flow. Since our example is a simple console application, Twitter will give you a PIN to enter.
authorize_url = twitter.get_authorize_url(request_token)
print 'Visit this URL in your browser: ' + authorize_url
pin = raw_input('Enter PIN from browser: ') # `input` if using Python 3!
Exchange the authorized request token for an authenticated OAuth1Session:
session = twitter.get_auth_session(request_token,
request_token_secret,
method='POST',
data={'oauth_verifier': pin})
(replace twitter with "new_session")
Thats how we know which user you're authing on behalf of.
This stuff is pretty confusing, sorry if i'm not doing a great job of explaining. The best resource i've seen is http://oauth.net, but that's now more focused on oAuth 2 (which we don't support).
I had already done the oauth authentication, in fact I could see the app authorized on my account profile page on the apps tab.To confirm that this wasn't an oauth problem I had on my end I added a book to my bookshelf from Python and it worked successfully, so that confirmed that I was having an issue with the call to get the user's bookshelf only and my authenthication was working correctly.
So I started to play around with the url and the way I'm sending the request and this is what I eventually ended up with on my function:
data = {'shelf': 'read', 'id': '6837622'}
return new_session.post('https://www.goodreads.com/review/list...', data)
instead of what I had before:
return new_session.get('https://www.goodreads.com/review/list...')
Your documentation says the http method is GET and that the key is a required parameter and the sample url it provides
https://www.goodreads.com/review/list... is different than what ended up working.
Is the documentation outdated or is there a different kind of convention used for oath and non-oauth requests?
Another question, when I see the apps that I have authorized on my profile page, I see mine listed as "no application", is this normal?
Again, thanks for your help.
oh I see what you mean (maybe):The sample URL is in the following format in the api docs:
https://www.goodreads.com/review/list...
You are right that the URL in the api docs is a little different:
https://www.goodreads.com/review/list...
The way you specify the xml format should be equivalent:
https://www.goodreads.com/review/list...
I tested this using KEY authorization though, for a user who is not private and all the above methods work.
The latter seems like is working for you, but I'll file a ticket to fix the other cases (All the above methods should be equivalent and should all work)
About last question: did you set a application name under https://www.goodreads.com/api/keys ?
I also tried https://www.goodreads.com/review/list... and also get a "forbidden" response. So the only way to make it work for oauth authorization seems to be with: https://www.goodreads.com/review/list... and sending the parameters as json via POST.
I did specify the application name on the keys page which is why I find odd that it doesn't say the name on the apps tab on my profile.
agree -- my only answer at this point is to wait for the ticket to be fixed. We'll update this topic when that happens. Sorry for these issues!
Thank you for your reply. It's no big deal, I just found it odd that it didn't show the name.
I checked my privacy settings and I had the setting Who Can View My Profile set to Goodreads members and I was getting a forbidden response.
Then I changed my setting to anyone (including search engines) and I am able to get list the books on a shelf.
Is this behavior intended? It doesn't make sense if I am a Goodreads member (I have authenticated with oAuth) and the profile visibility setting is set to Goodreads members, I should be able to get the data. Also if I am a friend to this person and their profile visibility is set to just my friends and I'm sending a request with my authentication token I should be able to get these items as well.
I believe this is a bug since the API should behave the same way as browsing the website does.
Or maybe I'm missing something?
I'm requesting the information from the following URL
https://www.goodreads.com/review/list...