REST api access to users

Added by Anonymous almost 6 years ago

I've just started using the REST API against redmine-1.3 and have an issue that non-admin users can't query the users table e.g.

http://localhost:3000/users.xml

I can understand why you can't modify users if you are non-admin, but Redmine itself lets non-admin users view the users list via pages such as http://localhost:3000/issues and adding assignee as a filtered field.

It seems strange that the REST api disallows this access. Basically I want access to the first name, last name and id for users to develop a simple app that can query issues.

Or have I missed something?

Thanks

Replies (3)

RE: REST api access to users - Added by Александр Басов over 5 years ago

i try to create Desktop redmine client.
But without access to users.xml - it's impossible.
How i can get list of users?

RE: REST api access to users - Added by Kostas Manios about 3 years ago

I am trying to do a similar thing. Have you found any way around this issue? It seems that through the API a non-admin has no way of getting a simple list of usersnames/ids, although this is indeed possible within Redmine itself. If this is the case, the only way for a Project Manager to add a user to a project, would by to know the user id beforehand!

The best solution I found so far (which is far from perfect), is to have my projects under a parent project that has ALL users as members with no rights, and the sub-project manager is also a manager in the parent project. This way he can list all the Memberships of the parent project and get a list of members. Note however that this can raise several security issues: ideally the manager should only have manager access to the sub-project, but I am forced to give him the same access to the parent project just to be able to view the members!! (and hope one does not take advantage of this)

Hope there is a solution to this before someone finds out about this hole :)

RE: REST api access to users - Added by Kostas Manios about 3 years ago

I found a much better solution. If you have the "Redmine Group Owners plugin" installed, then you can create a group with all the users you want, and add your Project Manager as group owner.

This way, you can use:
/groups/<id>.xml?include=users

This will give you a list of the users. Note that the list will only contain empty "<user>" elements with the id and full name as attributes, so you may need to alter your API to parse this (I had to do this with the C# API). Then you will need to query each user individually to get any extra info required. However, if you put a bit of effort you can actually create a solution that works!

(1-3/3)