API keys not restricted by permissions?
Summary
API keys are not restricted by permissions.
Steps to reproduce
Use the web GUI to create an API key, and give it the Can Get Logs permission only.
Resulting and expected behaviour
Using the created API key, you are able to watch camera streams and grab jpeg snapshots:
https://xxx.xxx.xxx.xxx/[API KEY]/hls/[GROUP KEY]/[MONITOR ID]/s.m3u8
https://xxx.xxx.xxx.xxx/[API KEY]/jpeg/[GROUP KEY]/[MONITOR ID]/s.jpg
The API key has neither the Can View Streams nor the Can View Snapshots permission, so I would expect access to be denied.
Version
Latest dev branch commit b4c886c1 running in a docker container built from source.