Defect #10870

Private bugs are accessible via the API

Added by Cory Riddell over 5 years ago. Updated over 5 years ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:REST API
Target version:-
Resolution:Cant reproduce Affected version:1.4.0

Description

If I use my browser to go to http://server/redmine/issues/1234 (a private issue), I get a "403 not authorized" error.

If I go to http://server/redmine/projects/projid/issues.json I get all the issue data for the private issue.

Both requests were made with the same credentials.

I'm trying to write a changelist-type document and don't want the private issues. If the private bit were at least exposed in the json/xml, then I could filter the list myself.


Related issues

Related to Redmine - Feature #10914: Include is_private setting in xml/json output Closed

History

#1 Updated by Cory Riddell over 5 years ago

I just noticed that if I get the issue explicity (http://server/redmine/issues/1234.[xml|json], nothing is returned (except an error message when getting xml). I only get the issue data back when I am getting back multiple issues using the offset and limit parameters.

#2 Updated by Cory Riddell over 5 years ago

I was able to get the is_private data by modifying views/issues/show.api.rsb and adding:

api.is_private @issue.is_private

I put this line right after the line for api.spent_hours.

I don't know if I've just done something horrible, but after a restart, I'm not getting "is_private: true" in my json output.

#3 Updated by Jean-Philippe Lang over 5 years ago

  • Resolution set to Cant reproduce

Any plugins installed?
The code that fetches the issues list for API or HTML response is the same so I can't see how it can be happen.

#4 Updated by Cory Riddell over 5 years ago

Jean-Philippe Lang wrote:

Any plugins installed?
The code that fetches the issues list for API or HTML response is the same so I can't see how it can be happen.

The only plugin I have installed is the import plugin.

The code that fetches the issues may be the same, but the code that transforms it for output is different.

Without the line I added to views/issues/show.api.rsb, how can the is_private field ever make it to the xml or json file?

BTW, I had to add a slightly different line to index.api.rsb:

api.is_private   issue.is_private

If you want me to demonstrate that one can see private issues, post the issue # for an issue that I cannot see and I'll reply with some data that shows the leakage.

#5 Updated by Jean-Philippe Lang over 5 years ago

Cory Riddell wrote:

If you want me to demonstrate that one can see private issues, post the issue # for an issue that I cannot see and I'll reply with some data that shows the leakage.

I've just created #10882 as a private issue here on redmine.org.

#6 Updated by Cory Riddell over 5 years ago

  • Status changed from New to Resolved

Jean-Philippe Lang wrote:

I've just created #10882 as a private issue here on redmine.org.

Ok, I'm conceding defeat. :)
I stand by my assertion that it would be useful to include 'is_private' in the xml/json output and the two lines I mentioned do this.

In the redmine.org instance of Redmine, is the 'redmine' project public? Does making a project public nullify the effect of the private switch?

#7 Updated by Jean-Philippe Lang over 5 years ago

  • Status changed from Resolved to Closed

Cory Riddell wrote:

Ok, I'm conceding defeat. :)

So I'm closing this defect.

I stand by my assertion that it would be useful to include 'is_private' in the xml/json output and the two lines I mentioned do this.

Please open a feature request.

In the redmine.org instance of Redmine, is the 'redmine' project public? Does making a project public nullify the effect of the private switch?

Of course, the redmine project is public otherwise you wouldn't see it. And making a project public does not nullify the effect of the private switch.

#8 Updated by Toshi MARUYAMA about 4 years ago

  • Related to Feature #10914: Include is_private setting in xml/json output added

Also available in: Atom PDF