[Rest API][custom field]Why "GET /custom_fields.xml" required the System manager's privilege?
Why Getting "Custom_field's Possible values" required the System manager's privilege?
I am creating a Redmine client by C#.
My Redmine project have Custom Field as List Format.
My C#'s Client can get Custom Field value,but can not update Custom Field.
Becase Getting "Possible values" required the System manager's privilege.
I can not give the system administrator privileges to all users.
I want all user to be able to get Possible values.
#1 Updated by Mischa The Evil over 4 years ago
- Priority changed from High to Normal
My basic view on this is that the API implementation - r12165 for #11159 - just follows the same authorization level (user designated as an
administrator) as is in use for its HTML counterpart. Global custom field listings are only available to
administrator users via the Administration -> Custom fields menu.
Just to be sure: if you are trying to achieve updates for issues which are using custom field values, then see Rest_Issues#Updating-an-issue and Rest_api#Working-with-custom-fields.
#2 Updated by Ieuan Jenkins about 4 years ago
I can see the logic behind permitting the same access level to the API implementation of the Custom Fields page as to the standard web view, but practically speaking it doesn't really work.
As an API user how am I supposed to know what a valid value is?
If we agree it's bad practice to permit RO access for non-admin users to the http://redmine.org/custom_fields.json page, what about adding an
include parameter option of
http://www.redmine.org/issues/18875.json?include=custom_field_details. This could return a XML/JSON representation of the custom fields valid for that project/issue combination?
#5 Updated by Justin Hill almost 4 years ago
Hmm, another thought on the implementation of this fix. Each tracker can have its own composition of custom fields, so while it would be somewhat helpful to have the possible values, we would also need to know which trackers use each field in order to allow a user to construct a valid edit.
I have created a patch for only 'Issue custom fields' of the project.
Added Parameter issue_custom_fields to 'Showing a project' (GET /projects/[id].xml).
I would like to get your feedback.
#9 Updated by Yuuki NARA 11 months ago
+1 for #note-8 and #note-2 proposal
I agree that the items that can be referred to only by the setting screen of administrator should not be displayed other than administrator.
However, what kind of problems will occur if you allow reference to custom field items beyond administrator?
It is necessary to think about whether the current access authority and the screen composition specification are appropriate.
For the tracker's required custom field currently selected in the project and the selected custom field,
It is a practical countermeasure to make it possible for project members to refer to possible values.
Sorry, the following is Japanese.