I've been experimenting with adding some checkuser functionality to spi-tools, and scratching my head over why I'm getting permissiondenied errors. I think I finally figured it out. It looks like my OAuth consumer doesn't have the checkuser right. So, how do I move forward? Can I add the checkuser right to my consumer key, or do I just throw my consumer key away and create a new one with the checkuser right added?
And, just to double-check, I'm assuming that adding the checkuser right to my consumer doesn't actually do anything unless the user who goes through the OAuth flow also has checkuser themselves, right?