I've been experimenting with adding some checkuser functionality to spi-tools, and scratching my head over why I'm getting permissiondenied errors. I think I finally figured it out. It looks like my OAuth consumer https://meta.wikimedia.org/wiki/Special:OAuthListConsumers/view/35ecb3674a09ea495c0f89abb2382acb doesn't have the checkuser right. So, how do I move forward? Can I add the checkuser right to my consumer key, or do I just throw my consumer key away and create a new one with the checkuser right added?
And, just to double-check, I'm assuming that adding the checkuser right to my consumer doesn't actually do anything unless the user who goes through the OAuth flow also has checkuser themselves, right?