Patch #29459

Add admin flag to users API

Added by Holger Just 20 days ago. Updated 16 days ago.

Status:NewStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:REST API
Target version:4.1.0

Description

Currently, it is not possible to distinguish admin users from "normal" users via the API. This patch adds the admin flag to the users API. The flag is added to the index action (visible only to admins) and on the show action to admins only.

Note that due to a peculiarity of the API builder, the field is only included in JSON responses if the value is true. For XML, it is included with true and false values respectively. With the JSON API, it is thus not possible to distinguish a list of non-admin users from a list of users without the permission to see the admin status.

0001-Expose-the-Admin-flag-on-the-users-api-to-admin-user.patch Magnifier (2.35 KB) Holger Just, 2018-08-29 16:41

History

#1 Updated by Go MAEDA 16 days ago

  • Target version changed from Candidate for next minor release to 4.1.0

#2 Updated by Go MAEDA 16 days ago

IMHO, it is better to remove '|| (User.current == @user)' from the patch. Non-admin users can know whether they are admin or not by accessing /users.(xml|json).

Index: app/views/users/show.api.rsb
===================================================================
--- app/views/users/show.api.rsb    (revision 17471)
+++ app/views/users/show.api.rsb    (working copy)
@@ -1,6 +1,7 @@
 api.user do
   api.id         @user.id
   api.login      @user.login if User.current.admin? || (User.current == @user)
+  api.admin      @user.admin? if User.current.admin? || (User.current == @user)
   api.firstname  @user.firstname
   api.lastname   @user.lastname
   api.mail       @user.mail if User.current.admin? || !@user.pref.hide_mail

When a non-admin user gets their information via XML API, the response contains an '<admin>' element and they can know that they are non-admin user by seeing the value. But when a non-admin user accesses JSON API, it is impossible to make sure that whether they are admin or not because the response does not have 'admin' key, as you already mentioned. The behavior and specification will be different between XML and JSON. I think it is confusing.

Also available in: Atom PDF