Project

General

Profile

Actions

Feature #11755

closed

Impersonate user through REST API auth

Added by Vincent Caron over 12 years ago. Updated about 12 years ago.

Status:
Closed
Priority:
Normal
Category:
REST API
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed

Description

The following patch implement a 'switch user' feature which lets an admin-level user impersonate any other user in the context of the REST API.

For any API authentication method, it is allowed to either pass a 'su' parameter or a 'X-Redmine-Switch-User' header, which is only considered if the primary auth led to an admin-level user. The expected value is a user 'login' (no ID or API key).

This is currently very useful when linking different applications with Redmine which share the same authentication reference (LDAP in my case), but don't have access to user's credentials (their Redmine API keys or their plain password). I use an admin-level account for every app which wants to talk with Redmine, but this app should ideally lower its privileges to its current user. This feature does just that, without diving into complex SSO problems.


Files

api-auth-switch-user.patch (1.74 KB) api-auth-switch-user.patch Vincent Caron, 2012-09-01 15:33
api-auth-switch-user-v2.patch (1.81 KB) api-auth-switch-user-v2.patch Vincent Caron, 2012-10-09 23:41

Related issues

Has duplicate Redmine - Feature #11551: REST-API: Admine can create time entries for other usersClosed

Actions
Actions

Also available in: Atom PDF