Patch #24051

As a non-admin user using API, I want to be able to filter users by their username without getting forbidden exception

Added by David Côté-Tremblay almost 3 years ago. Updated over 2 years ago.

Status:ResolvedStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:REST API
Target version:-

Description

We created an Odoo -> Redmine connector for uploading time spent from Redmine to HR tools in Odoo (https://github.com/savoirfairelinux/connector-redmine/tree/ddufresne_port_to_8_0).

When we call that function from a superuser API key, all works well, but when it is normal user API key, it does return a forbidden exception :

redmine_api.user.filter(name="SOMEUSERNAME")

I think that to reinforce security by not giving superuser Redmine API key to Odoo would be interesting.

That would be possible by allowing standard Redmine users to use API to filter users by their username instead of throwing an exception.

0001-As-a-non-admin-user-using-API-I-want-to-be-able-to-f.patch Magnifier (979 Bytes) David Côté-Tremblay, 2016-10-11 20:55

allowing-nonsuperusers-to-search-users-by-filters-from-api.patch Magnifier (371 Bytes) David Côté-Tremblay, 2016-10-12 16:56

redmine_lte_v3.2_allow-stdusers-filter-users-from-api.patch Magnifier - Redmine <= 3.2 patch for non-superuser can filter users by API (371 Bytes) David Côté-Tremblay, 2016-10-12 17:08

redmine_lt_v3.3_allow-stdusers-filter-users-from-api.patch Magnifier (371 Bytes) David Côté-Tremblay, 2016-10-12 17:11


Related issues

Related to Redmine - Defect #7773: Only Redmine administrators can get users from REST API New 2011-03-04

History

#1 Updated by David Côté-Tremblay almost 3 years ago

There is the patch for the development version. Requesting review for implement.

GitHub pull request if its now a thing : https://github.com/redmine/redmine/pull/86

#3 Updated by David Côté-Tremblay almost 3 years ago

You can use this patch if you have Redmine <= 3.2

#5 Updated by Holger Just over 2 years ago

When removing the admin requirement on UsersController#index, there need to be the User.visible scope added to the ActiveRecord query in order to only show users which are visible to the current user.

Once this is fixed, I think it is a great idea to have a user listing available. With the now available role-based controls for the user visibility, this should work without negatively affecting privacy.

#6 Updated by Mitsuhiro Tanino over 2 years ago

I think Defect #7773 is trying to solve same problem of this and I posted a patch on that thread.
Could I get a feedback for that patch?

#7 Updated by Toshi MARUYAMA over 2 years ago

  • Related to Defect #7773: Only Redmine administrators can get users from REST API added

Also available in: Atom PDF