I'm not sure that everyone want the details about all their roles to be publicly visible.
--------------------------------------------------------------------------------
Then we would need a right to have access to that roles information (at the moment onyl admin has this via web gui or using additional plugin like redmine_information (http://www.redmine.org/plugins/rp_information).

--------------------------------------------------------------------------------
Since I'm a Rails newbie I'm not sure I handled authentication correctly.

From my tests with my patch (using cookie-based auth with my browser) :
* /roles.xml is available without authentication (original behaviour)
* /roles/:id.xml requires auth, returns result for an admin, 403 Forbidden for other regular users

Is that fine ?

I might second Terence suggestion, in my case I'd be happy with a kind of read-only admin account (see everything, but don't touch anything) and finer grain permissions; but since the consumer is my own code in another controlled application, I know I only issue GETs and I'm pretty happy to access Redmine REST services at admin level.

Jean-Philippe : would you accept the attached patch while it has no POST /roles/:id.:format implementation ? I deliberately skipped that part.

--------------------------------------------------------------------------------

--------------------------------------------------------------------------------
Committed in r10620 with tests. The API is available to everyone, just like /roles.xml.
--------------------------------------------------------------------------------

relates,Closed,12472,Roles REST API does not accept API authentication