Project

General

Profile

Actions

Patch #24051

open

As a non-admin user using API, I want to be able to filter users by their username without getting forbidden exception

Added by Anonymous over 7 years ago. Updated over 7 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
REST API
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:

Description

We created an Odoo -> Redmine connector for uploading time spent from Redmine to HR tools in Odoo (https://github.com/savoirfairelinux/connector-redmine/tree/ddufresne_port_to_8_0).

When we call that function from a superuser API key, all works well, but when it is normal user API key, it does return a forbidden exception :

redmine_api.user.filter(name="SOMEUSERNAME")

I think that to reinforce security by not giving superuser Redmine API key to Odoo would be interesting.

That would be possible by allowing standard Redmine users to use API to filter users by their username instead of throwing an exception.


Files


Related issues

Related to Redmine - Defect #7773: Only Redmine administrators can get users from REST APINew2011-03-04

Actions
Actions #1

Updated by Anonymous over 7 years ago

There is the patch for the development version. Requesting review for implement.

GitHub pull request if its now a thing : https://github.com/redmine/redmine/pull/86

Actions #3

Updated by Anonymous over 7 years ago

You can use this patch if you have Redmine <= 3.2

Actions #5

Updated by Holger Just over 7 years ago

When removing the admin requirement on UsersController#index, there need to be the User.visible scope added to the ActiveRecord query in order to only show users which are visible to the current user.

Once this is fixed, I think it is a great idea to have a user listing available. With the now available role-based controls for the user visibility, this should work without negatively affecting privacy.

Actions #6

Updated by Mitsuhiro Tanino over 7 years ago

I think Defect #7773 is trying to solve same problem of this and I posted a patch on that thread.
Could I get a feedback for that patch?

Actions #7

Updated by Toshi MARUYAMA over 7 years ago

  • Related to Defect #7773: Only Redmine administrators can get users from REST API added
Actions

Also available in: Atom PDF