Hi everyone,
I'm working on a tool that adds a custom button to the Canvas interface using JavaScript injected via a Canvas Theme. The goal is to allow teachers to calculate and update rubric scores for an assignment (e.g., entering an average mastery score into a rubric criterion using the Canvas API).
So far, I'm able to:
Detect the correct page (e.g., Gradebook)
Inject the custom UI
Calculate mastery averages using GET requests (e.g., /outcome_rollups)
However, when I try to submit a PUT request to update grades using the rubric_assessment parameter (e.g., to /api/v1/courses/:course_id/assignments/:assignment_id/submissions/:user_id), the request fails with a 422 error. I assume this is because the Theme script is not authenticated with a valid access token.
My questions:
Is it possible for a Theme-injected script to gain write access to Canvas APIs (e.g., grading endpoints)?
If not, is the recommended approach to offload write access to a backend service or Chrome Extension that has access to a secure token?
I want to make sure I'm not overlooking an officially supported method before I shift my architecture to use a server or browser extension.
Thanks in advance for your insights!
