Defect #7773
openOnly Redmine administrators can get users from REST API
0%
Description
On Redmine 1.1, only a user logged in as a Redmine administrator can get a list of users. Regular users get a HTTP 403 Forbidden error.
Getting a list of users is required in order to create an issue using the REST API and assign it to a project member.
Files
Related issues
       Updated by Jakub Wolny over 14 years ago
      Updated by Jakub Wolny over 14 years ago
      
    
    exactly - I have the same problem while creating my app, which uses REST API.
Is there any workaround about this?
Maybe some list of fields which user's fields are "public" and can be retrieved by API?
       Updated by Etienne Massip over 14 years ago
      Updated by Etienne Massip over 14 years ago
      
    
    - Target version set to Candidate for next major release
       Updated by Alex Last almost 14 years ago
      Updated by Alex Last almost 14 years ago
      
    
    This improvement would eliminate the need to "Admin" access for Task Adapter, which would be very good. IS it possible to implement this in v. 1.3.1?
       Updated by Jeffrey Clark over 13 years ago
      Updated by Jeffrey Clark over 13 years ago
      
    
    Something smells funny. The users index is restricted to administrator, but the individual entries are freely accessible (/users/1 , /users/2 ...).
I would expect for non-administrators the response to be a list of project members for projects which I have access. In addition, `/projects/wizbang/users.xml` seems like an appropriate route to add.
       Updated by Benoit Duffez over 12 years ago
      Updated by Benoit Duffez over 12 years ago
      
    
    What's the status of this? It's been 10% implemented for 8 months now, but it still is a missing feature in my opinion.
       Updated by Jean-Philippe Lang over 12 years ago
      Updated by Jean-Philippe Lang over 12 years ago
      
    
    Jeffrey Clark wrote:
Something smells funny. The users index is restricted to administrator, but the individual entries are freely accessible (/users/1 , /users/2 ...).
Wrong. Individual entries are accessible to non-admin users only if the requested user is active and is a member of a visible project or has a visible activity. There's too much logic involved to send an entire list of users.
On the other side, an API for getting the project members seems much more reasonnable. If it's any help, I'd be happy to add it to 2.4.0.
       Updated by Jean-Philippe Lang over 12 years ago
      Updated by Jean-Philippe Lang over 12 years ago
      
    
    Actually, the members list was added to the API in r8798 (eg. /projects/wizbang/memberships.xml, see Rest_Memberships). It's only accessible to users who have the "manage members" permission. We can make it accessible to anyone who can view the project.
       Updated by Benoit Duffez over 12 years ago
      Updated by Benoit Duffez over 12 years ago
      
    
    Well, the REST API access is not on par with standard HTTP access. Indeed, on my server I have a public project, on which registered users can add issues and comments. Registration is open (yet validated by hand), so basically anyone can add issues and comments without being marked as members of that project.
So on HTTP access (e.g. /issues/123), anyone (including anonymous access) can see the users name, avatar.
With REST access, this information is unavailable because the raw list of users is not public (and restricted to admins), and because the individual users that may add issues or comment are not members of that project.
       Updated by Jean-Philippe Lang over 12 years ago
      Updated by Jean-Philippe Lang over 12 years ago
      
    
    Benoit Duffez wrote:
So on HTTP access (e.g.
/issues/123), anyone (including anonymous access) can see the users name, avatar.
Try /issues/123.xml, you will see the user names as long as you are allowed to view this issue.
With REST access, this information is unavailable because the raw list of users is not public (and restricted to admins), and because the individual users that may add issues or comment are not members of that project.
The issue view is not the users list. Using regular HTML access, only admins can view the users list. It works the same with the API.
       Updated by Benoit Duffez over 12 years ago
      Updated by Benoit Duffez over 12 years ago
      
    
    That's right. I didn't exactly mentioned what was missing, it's in fact only the email address that can be used to generate the gravatar URL, which generates the avatar.
I think this is a sensitive info that can't be disclosed, so I'll have to deal without.
Thanks a lot for the reminder, and thank you for your time and kind support.
       Updated by Etienne Massip over 12 years ago
      Updated by Etienne Massip over 12 years ago
      
    
    - Target version deleted (Candidate for next major release)
- % Done changed from 10 to 0
       Updated by Benoit Duffez over 12 years ago
      Updated by Benoit Duffez over 12 years ago
      
    
    I'm sorry it just popped into my mind, I didn't mention it the other day.
Jean-Philippe Lang wrote:
Actually, the members list was added to the API in r8798 (eg.
/projects/wizbang/memberships.xml, see Rest_Memberships). It's only accessible to users who have the "manage members" permission. We can make it accessible to anyone who can view the project.
This would be great, and it'd make sense. HTTP access provides the members list, the REST API returns HTTP 401.
       Updated by Benoit Duffez about 12 years ago
      Updated by Benoit Duffez about 12 years ago
      
    
    Hi,
Acutally, I'd need this implementation. This would make users that have rights to see a project have the right to get the list of users that are members of that project.
Say that I'm logged as a user that can post an issue on a project but is not admin.
Via HTTP: GET /projects/what/issues/new => there's the "assign to" input field, that contains the list of users
Via REST: GET /projects/what/memberships.(json|xml)?key=abcd => empty
       Updated by Steffen Gebert almost 12 years ago
      Updated by Steffen Gebert almost 12 years ago
      
    
    Yes, I agree with that and have also the need for synchronisation with other systems. Why should information that is available anonymously via HTML not be available via REST (not even for authenticated, non-admin users)?
       Updated by tycho luyben over 11 years ago
      Updated by tycho luyben over 11 years ago
      
    
    Any progress on this issue? I'm using the API and now I need to give manage members perms to get the possible users in the project which I don't want to do? Making the /projects/1/memberships.json work for only listing would be the solution (and a simple one at that)?
       Updated by Rene Pilz over 11 years ago
      Updated by Rene Pilz over 11 years ago
      
    
    I also agree Tycho and Steffen.
Please make this issue available.
We are currently developing some small Java-Apps that should fetch data from Redmine (we are evaluating using Redmine as Time-Tracking-System). And there it is a must to match user-id and user-logon (which looks only beeing able using the /users.xml Rest API call.
Another point:
get /users/<id>.xml works even with an non-Administrator User.
So we have this workaround: for (i=0;i<10'000;i++) GET /users/$i.xml
Works and we also have a full user list.
Therefore: getting /users.xml blocked as non-admin is a bug.
       Updated by Luis Escamilla over 11 years ago
      Updated by Luis Escamilla over 11 years ago
      
    
    Jean-Philippe Lang wrote:
On the other side, an API for getting the project members seems much more reasonnable. If it's any help, I'd be happy to add it to 2.4.0.
I think so. Can you add this new feature to the next version?
Thanks in advance.
       Updated by anil venkata over 11 years ago
      Updated by anil venkata over 11 years ago
      
    
    When a Non-admin user is added to a project with manager as role, this non-admin user(as he is manager now) can see and add users as members to the project. This is achieved through http(i.e UI).
/projects/p1/settings    tab -> "members"  window -> "New Member" with users and role
But the same thing is not possible trough REST api.
Non admin user, though he is a manager of a project, he can't get the users list through rest api
GET <ip>/users.xml is not working i.e rendering 403 error [:require_admin] rendered_or_redirected.
At present we are using admin token in our tool along with GET <ip>/users.xml REST api, so that non-admin user(project manger) can get the users list, which he wanted to add to the project. Can this be fixed, so that non-admin user can get users list through REST api(as this is already happening and not restricted in HTTP i.e UI)?
       Updated by Kostas Manios about 11 years ago
      Updated by Kostas Manios about 11 years ago
      
    
    Anil,
There is another workaround for getting all users, by adding them to a group and having your project manager as the owner of this group (see forum discussion http://www.redmine.org/boards/3/topics/28005?r=43940#message-43940).
However I am still not able to add the new member to my project (which you said you did). Can I ask which API you are using? If you are using C#, would you be so kind as to help me out?
       Updated by Jean-Philippe Lang over 10 years ago
      Updated by Jean-Philippe Lang over 10 years ago
      
    
    - Has duplicate Defect #19794: non Admins cannot list users through API added
       Updated by Jake Kemme over 9 years ago
      Updated by Jake Kemme over 9 years ago
      
    
    If you have access to your Redmine code base,
app/controllers/users_controller.rb can be modified as follows:
  - before_filter :require_admin, :except => :show
  + before_filter :require_admin, :except => [:show, :index]
  + before_filter :require_admin_or_api_request, :only => :index
Perhaps this could be submitted as a patch since all users can be fetched by looping on /users/$i.xml, so the restriction of the users.xml API call adds no extra security.
       Updated by Sébastien Aubry about 9 years ago
      Updated by Sébastien Aubry about 9 years ago
      
    
    I agree, this should be submitted as a patch: I have hundreds of users to retrieve in order to convert the user_id I get inside Issues to firstname/lastname, and I now have to make multiple calls to /users/$i.xml.
Thanks!
       Updated by Mitsuhiro Tanino almost 9 years ago
      Updated by Mitsuhiro Tanino almost 9 years ago
      
    
    - File 0001-Enable-none-admin-users-to-get-users-list-from-REST-.patch 0001-Enable-none-admin-users-to-get-users-list-from-REST-.patch added
Hi,
I attached a patch to fix the issue based on the proposal from Jake on comment #24.
This patch is for Redmine master branch.
Thanks,
       Updated by Anonymous almost 9 years ago
      Updated by Anonymous almost 9 years ago
      
    
    Extra information (duplicated ticket) : #24051
Holger Just wrote:
When removing the admin requirement on
UsersController#index, there need to be theUser.visiblescope added to the ActiveRecord query in order to only show users which are visible to the current user.Once this is fixed, I think it is a great idea to have a user listing available. With the now available role-based controls for the user visibility, this should work without negatively affecting privacy.
       Updated by Toshi MARUYAMA almost 9 years ago
      Updated by Toshi MARUYAMA almost 9 years ago
      
    
    - Related to Patch #24051: As a non-admin user using API, I want to be able to filter users by their username without getting forbidden exception added