Defect #18875

[Rest API][custom field]Why "GET /custom_fields.xml" required the System manager's privilege?

Added by Hiroyuki Arakawa almost 4 years ago. Updated 24 days ago.

Status:NewStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:REST API
Target version:-
Resolution: Affected version:2.6.0

Description

Dear developers

Why Getting "Custom_field's Possible values" required the System manager's privilege?

I am creating a Redmine client by C#.
My Redmine project have Custom Field as List Format.

My C#'s Client can get Custom Field value,but can not update Custom Field.
Becase Getting "Possible values" required the System manager's privilege.

I can not give the system administrator privileges to all users.
I want all user to be able to get Possible values.

Best Regards.

project_api_include_issue_custom_fields.patch Magnifier (5.45 KB) ume san, 2018-11-14 16:50


Related issues

Duplicated by Redmine - Feature #25542: Custom Fields available over the API Closed

History

#1 Updated by Mischa The Evil almost 4 years ago

  • Priority changed from High to Normal

My basic view on this is that the API implementation - r12165 for #11159 - just follows the same authorization level (user designated as an administrator) as is in use for its HTML counterpart. Global custom field listings are only available to administrator users via the Administration -> Custom fields menu.
Just to be sure: if you are trying to achieve updates for issues which are using custom field values, then see Rest_Issues#Updating-an-issue and Rest_api#Working-with-custom-fields.

#2 Updated by Ieuan Jenkins about 3 years ago

I can see the logic behind permitting the same access level to the API implementation of the Custom Fields page as to the standard web view, but practically speaking it doesn't really work.

As an API user how am I supposed to know what a valid value is?

If we agree it's bad practice to permit RO access for non-admin users to the http://redmine.org/custom_fields.json page, what about adding an include parameter option of custom_field_details, e.g. http://www.redmine.org/issues/18875.json?include=custom_field_details. This could return a XML/JSON representation of the custom fields valid for that project/issue combination?

#3 Updated by Loic Dachary about 3 years ago

It is very inconvenient to not be able to list the custom fields. When creating an issue, the id of the custom field is required to set the value and there is no other way to get it. So +1 on fixing this :-)

#4 Updated by Justin Hill about 3 years ago

+1 on fixing this! I'm building an iOS client for Redmine and it's currently just not possible to retrieve the possible values for a custom field, which makes it impossible to implement a fully-featured issue composer.

#5 Updated by Justin Hill almost 3 years ago

Hmm, another thought on the implementation of this fix. Each tracker can have its own composition of custom fields, so while it would be somewhat helpful to have the possible values, we would also need to know which trackers use each field in order to allow a user to construct a valid edit.

#6 Updated by ume san over 2 years ago

+1
like 'Issue Statuses', 'Trackers'.

#7 Updated by Toshi MARUYAMA over 1 year ago

  • Duplicated by Feature #25542: Custom Fields available over the API added

#8 Updated by ume san 27 days ago

I have created a patch for only 'Issue custom fields' of the project.

[syntax]
GET /projects/[id].xml?include=issue_custom_fields

Added Parameter issue_custom_fields to 'Showing a project' (GET /projects/[id].xml).

I would like to get your feedback.

#9 Updated by Yuuki NARA 24 days ago

+1 for #note-8 and #note-2 proposal

I agree that the items that can be referred to only by the setting screen of administrator should not be displayed other than administrator.

However, what kind of problems will occur if you allow reference to custom field items beyond administrator?

It is necessary to think about whether the current access authority and the screen composition specification are appropriate.

For the tracker's required custom field currently selected in the project and the selected custom field,
It is a practical countermeasure to make it possible for project members to refer to possible values.

Sorry, the following is Japanese.

administratorの設定画面のみで参照できる項目を、administrator以外に表示すべきで無いことについては合意する。

しかし、administrator以外にカスタムフィールド項目の参照を許可した場合、どのような問題が発生するのだろうか。
現在のアクセス権限と画面構成の仕様が適切であるかは、考えてみる必要があるのではないか。

プロジェクトで現在選択されているトラッカーの必須カスタムフィールド、及び選択されたカスタムフィールドに対して、
取り得る値をプロジェクトメンバーが参照可能とすることは、現実的な対応策と思う。

Also available in: Atom PDF