Project

General

Profile

Actions
Copy link

Patch #24051

open

As a non-admin user using API, I want to be able to filter users by their username without getting forbidden exception

Added by Anonymous about 8 years ago. Updated about 8 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
REST API
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:

Description

We created an Odoo -> Redmine connector for uploading time spent from Redmine to HR tools in Odoo (https://github.com/savoirfairelinux/connector-redmine/tree/ddufresne_port_to_8_0).

When we call that function from a superuser API key, all works well, but when it is normal user API key, it does return a forbidden exception :

redmine_api.user.filter(name="SOMEUSERNAME")

I think that to reinforce security by not giving superuser Redmine API key to Odoo would be interesting.

That would be possible by allowing standard Redmine users to use API to filter users by their username instead of throwing an exception.

Files

Download all files
0001-As-a-non-admin-user-using-API-I-want-to-be-able-to-f.patch (979 Bytes) 0001-As-a-non-admin-user-using-API-I-want-to-be-able-to-f.patch Anonymous, 2016-10-11 20:55
allowing-nonsuperusers-to-search-users-by-filters-from-api.patch (371 Bytes) allowing-nonsuperusers-to-search-users-by-filters-from-api.patch Anonymous, 2016-10-12 16:56
redmine_lte_v3.2_allow-stdusers-filter-users-from-api.patch (371 Bytes) redmine_lte_v3.2_allow-stdusers-filter-users-from-api.patch Redmine <= 3.2 patch for non-superuser can filter users by API Anonymous, 2016-10-12 17:08
redmine_lt_v3.3_allow-stdusers-filter-users-from-api.patch (371 Bytes) redmine_lt_v3.3_allow-stdusers-filter-users-from-api.patch Anonymous, 2016-10-12 17:11

Related issues

Related to Redmine - Defect #7773: Only Redmine administrators can get users from REST APINew2011-03-04

Actions
Actions
Copy link
 #1

Updated by Anonymous about 8 years ago

There is the patch for the development version. Requesting review for implement.

GitHub pull request if its now a thing : https://github.com/redmine/redmine/pull/86

Actions
Copy link
 #3

Updated by Anonymous about 8 years ago

You can use this patch if you have Redmine <= 3.2

Actions
Copy link
 #5

Updated by Holger Just about 8 years ago

When removing the admin requirement on UsersController#index, there need to be the User.visible scope added to the ActiveRecord query in order to only show users which are visible to the current user.

Once this is fixed, I think it is a great idea to have a user listing available. With the now available role-based controls for the user visibility, this should work without negatively affecting privacy.

Actions
Copy link
 #6

Updated by Mitsuhiro Tanino about 8 years ago

I think Defect #7773 is trying to solve same problem of this and I posted a patch on that thread.
Could I get a feedback for that patch?

Actions
Copy link
 #7

Updated by Toshi MARUYAMA about 8 years ago

  • Related to Defect #7773: Only Redmine administrators can get users from REST API added
Actions
Copy link

Also available in: Atom PDF