Feature #11502
closed
I'm not sure that everyone want the details about all their roles to be publicly visible.
Since I'm a Rails newbie I'm not sure I handled authentication correctly.
From my tests with my patch (using cookie-based auth with my browser) :
- /roles.xml is available without authentication (original behaviour)
- /roles/:id.xml requires auth, returns result for an admin, 403 Forbidden for other regular users
Is that fine ?
I might second Terence suggestion, in my case I'd be happy with a kind of read-only admin account (see everything, but don't touch anything) and finer grain permissions; but since the consumer is my own code in another controlled application, I know I only issue GETs and I'm pretty happy to access Redmine REST services at admin level.
Jean-Philippe : would you accept the attached patch while it has no POST /roles/:id.:format implementation ? I deliberately skipped that part.
- Assignee set to Jean-Philippe Lang
- Status changed from New to Closed
- Target version set to 2.2.0
- Resolution set to Fixed
Committed in r10620 with tests. The API is available to everyone, just like /roles.xml.
Also available in: Atom
PDF