As a non-admin user using API, I want to be able to filter users by their username without getting forbidden exception
We created an Odoo -> Redmine connector for uploading time spent from Redmine to HR tools in Odoo (https://github.com/savoirfairelinux/connector-redmine/tree/ddufresne_port_to_8_0).
When we call that function from a superuser API key, all works well, but when it is normal user API key, it does return a forbidden exception :
I think that to reinforce security by not giving superuser Redmine API key to Odoo would be interesting.
That would be possible by allowing standard Redmine users to use API to filter users by their username instead of throwing an exception.
#1 Updated by David Côté-Tremblay over 3 years ago
- File 0001-As-a-non-admin-user-using-API-I-want-to-be-able-to-f.patch added
- Status changed from New to Resolved
There is the patch for the development version. Requesting review for implement.
GitHub pull request if its now a thing : https://github.com/redmine/redmine/pull/86
#2 Updated by David Côté-Tremblay over 3 years ago
#3 Updated by David Côté-Tremblay over 3 years ago
You can use this patch if you have Redmine <= 3.2
#4 Updated by David Côté-Tremblay over 3 years ago
#5 Updated by Holger Just over 3 years ago
When removing the admin requirement on
UsersController#index, there need to be the
User.visible scope added to the ActiveRecord query in order to only show users which are visible to the current user.
Once this is fixed, I think it is a great idea to have a user listing available. With the now available role-based controls for the user visibility, this should work without negatively affecting privacy.