Project

General

Profile

Actions

Defect #10870

closed

Private bugs are accessible via the API

Added by Cory Riddell almost 12 years ago. Updated almost 12 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
REST API
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Cant reproduce
Affected version:

Description

If I use my browser to go to http://server/redmine/issues/1234 (a private issue), I get a "403 not authorized" error.

If I go to http://server/redmine/projects/projid/issues.json I get all the issue data for the private issue.

Both requests were made with the same credentials.

I'm trying to write a changelist-type document and don't want the private issues. If the private bit were at least exposed in the json/xml, then I could filter the list myself.


Related issues

Related to Redmine - Feature #10914: Include is_private setting in xml/json output ClosedJean-Philippe Lang

Actions
Actions #1

Updated by Cory Riddell almost 12 years ago

I just noticed that if I get the issue explicity (http://server/redmine/issues/1234.[xml|json], nothing is returned (except an error message when getting xml). I only get the issue data back when I am getting back multiple issues using the offset and limit parameters.

Actions #2

Updated by Cory Riddell almost 12 years ago

I was able to get the is_private data by modifying views/issues/show.api.rsb and adding:

api.is_private @issue.is_private

I put this line right after the line for api.spent_hours.

I don't know if I've just done something horrible, but after a restart, I'm not getting "is_private: true" in my json output.

Actions #3

Updated by Jean-Philippe Lang almost 12 years ago

  • Resolution set to Cant reproduce

Any plugins installed?
The code that fetches the issues list for API or HTML response is the same so I can't see how it can be happen.

Actions #4

Updated by Cory Riddell almost 12 years ago

Jean-Philippe Lang wrote:

Any plugins installed?
The code that fetches the issues list for API or HTML response is the same so I can't see how it can be happen.

The only plugin I have installed is the import plugin.

The code that fetches the issues may be the same, but the code that transforms it for output is different.

Without the line I added to views/issues/show.api.rsb, how can the is_private field ever make it to the xml or json file?

BTW, I had to add a slightly different line to index.api.rsb:

api.is_private   issue.is_private

If you want me to demonstrate that one can see private issues, post the issue # for an issue that I cannot see and I'll reply with some data that shows the leakage.

Actions #5

Updated by Jean-Philippe Lang almost 12 years ago

Cory Riddell wrote:

If you want me to demonstrate that one can see private issues, post the issue # for an issue that I cannot see and I'll reply with some data that shows the leakage.

I've just created #10882 as a private issue here on redmine.org.

Actions #6

Updated by Cory Riddell almost 12 years ago

  • Status changed from New to Resolved

Jean-Philippe Lang wrote:

I've just created #10882 as a private issue here on redmine.org.

Ok, I'm conceding defeat. :)
I stand by my assertion that it would be useful to include 'is_private' in the xml/json output and the two lines I mentioned do this.

In the redmine.org instance of Redmine, is the 'redmine' project public? Does making a project public nullify the effect of the private switch?

Actions #7

Updated by Jean-Philippe Lang almost 12 years ago

  • Status changed from Resolved to Closed

Cory Riddell wrote:

Ok, I'm conceding defeat. :)

So I'm closing this defect.

I stand by my assertion that it would be useful to include 'is_private' in the xml/json output and the two lines I mentioned do this.

Please open a feature request.

In the redmine.org instance of Redmine, is the 'redmine' project public? Does making a project public nullify the effect of the private switch?

Of course, the redmine project is public otherwise you wouldn't see it. And making a project public does not nullify the effect of the private switch.

Actions #8

Updated by Toshi MARUYAMA over 10 years ago

  • Related to Feature #10914: Include is_private setting in xml/json output added
Actions

Also available in: Atom PDF