プロジェクト

全般

プロフィール

編集 操作
リンクをコピー

Vote #77894

未完了

As a non-admin user using API, I want to be able to filter users by their username without getting forbidden exception

Admin Redmine さんが約2年前に追加. 約2年前に更新.

ステータス:
Resolved
優先度:
通常
担当者:
-
カテゴリ:
REST API_32
対象バージョン:
-
開始日:
2022/05/09
期日:
進捗率:

0%

予定工数:
Redmineorg_URL:
https://www.redmine.org/issues/24051
category_id:
32
version_id:
0
issue_org_id:
24051
author_id:
4
assigned_to_id:
0
comments:
7
status_id:
3
tracker_id:
3
plus1:
0
affected_version:
closed_on:
affected_version_id:
ステータス-->[Resolved]
引用

説明

We created an Odoo -> Redmine connector for uploading time spent from Redmine to HR tools in Odoo (https://github.com/savoirfairelinux/connector-redmine/tree/ddufresne_port_to_8_0).

When we call that function from a superuser API key, all works well, but when it is normal user API key, it does return a forbidden exception : 

redmine_api.user.filter(name="SOMEUSERNAME")

I think that to reinforce security by not giving superuser Redmine API key to Odoo would be interesting.

That would be possible by allowing standard Redmine users to use API to filter users by their username instead of throwing an exception.

journals

There is the patch for the development version. Requesting review for implement.

GitHub pull request if its now a thing : https://github.com/redmine/redmine/pull/86
--------------------------------------------------------------------------------

--------------------------------------------------------------------------------
You can use this patch if you have Redmine <= 3.2
--------------------------------------------------------------------------------

--------------------------------------------------------------------------------
When removing the admin requirement on @UsersController#index@, there need to be the @User.visible@ scope added to the ActiveRecord query in order to only show users which are visible to the current user.

Once this is fixed, I think it is a great idea to have a user listing available. With the now available role-based controls for the user visibility, this should work without negatively affecting privacy.
--------------------------------------------------------------------------------
I think Defect #7773 is trying to solve same problem of this and I posted a patch on that thread.
Could I get a feedback for that patch?
--------------------------------------------------------------------------------

--------------------------------------------------------------------------------

related_issues

relates,New,7773,Only Redmine administrators can get users from REST API

操作
リンクをコピー
 #1

Admin Redmine さんが約2年前に更新

  • カテゴリREST API_32 にセット
編集 操作
リンクをコピー

他の形式にエクスポート: Atom PDF

いいね!0
いいね!0

demo1.unofficial-redmine.org