Defect #10870
closed
Private bugs are accessible via the API
0%
Description
If I use my browser to go to http://server/redmine/issues/1234 (a private issue), I get a "403 not authorized" error.
If I go to http://server/redmine/projects/projid/issues.json I get all the issue data for the private issue.
Both requests were made with the same credentials.
I'm trying to write a changelist-type document and don't want the private issues. If the private bit were at least exposed in the json/xml, then I could filter the list myself.
Related issues
Updated by Cory Riddell over 12 years ago
I just noticed that if I get the issue explicity (http://server/redmine/issues/1234.[xml|json], nothing is returned (except an error message when getting xml). I only get the issue data back when I am getting back multiple issues using the offset and limit parameters.
Updated by Cory Riddell over 12 years ago
I was able to get the is_private data by modifying views/issues/show.api.rsb and adding:
api.is_private @issue.is_private
I put this line right after the line for api.spent_hours.
I don't know if I've just done something horrible, but after a restart, I'm not getting "is_private: true" in my json output.
Updated by Jean-Philippe Lang over 12 years ago
- Resolution set to Cant reproduce
Any plugins installed?
The code that fetches the issues list for API or HTML response is the same so I can't see how it can be happen.
Updated by Cory Riddell over 12 years ago
Jean-Philippe Lang wrote:
Any plugins installed?
The code that fetches the issues list for API or HTML response is the same so I can't see how it can be happen.
The only plugin I have installed is the import plugin.
The code that fetches the issues may be the same, but the code that transforms it for output is different.
Without the line I added to views/issues/show.api.rsb, how can the is_private field ever make it to the xml or json file?
BTW, I had to add a slightly different line to index.api.rsb:
api.is_private issue.is_private
If you want me to demonstrate that one can see private issues, post the issue # for an issue that I cannot see and I'll reply with some data that shows the leakage.
Updated by Jean-Philippe Lang over 12 years ago
Cory Riddell wrote:
If you want me to demonstrate that one can see private issues, post the issue # for an issue that I cannot see and I'll reply with some data that shows the leakage.
I've just created #10882 as a private issue here on redmine.org.
Updated by Cory Riddell over 12 years ago
- Status changed from New to Resolved
Jean-Philippe Lang wrote:
I've just created #10882 as a private issue here on redmine.org.
Ok, I'm conceding defeat. :)
I stand by my assertion that it would be useful to include 'is_private' in the xml/json output and the two lines I mentioned do this.
In the redmine.org instance of Redmine, is the 'redmine' project public? Does making a project public nullify the effect of the private switch?
Updated by Jean-Philippe Lang over 12 years ago
- Status changed from Resolved to Closed
Cory Riddell wrote:
Ok, I'm conceding defeat. :)
So I'm closing this defect.
I stand by my assertion that it would be useful to include 'is_private' in the xml/json output and the two lines I mentioned do this.
Please open a feature request.
In the redmine.org instance of Redmine, is the 'redmine' project public? Does making a project public nullify the effect of the private switch?
Of course, the redmine project is public otherwise you wouldn't see it. And making a project public does not nullify the effect of the private switch.
Updated by Toshi MARUYAMA about 11 years ago
- Related to Feature #10914: Include is_private setting in xml/json output added