I expect the rest API to be used for user selection helpers (seen in
the web interface with the "(list)" link).

This can require selecting users with a particular role.  An example
in the customization document discusses limiting people who can be
assigned to an issue.  To do this, assign the new role Developer to
the user.  Then use this role to filter people with appropriate
permission check e.g. fixer.

However emulating that with the rest interface isn't possible.
the rest call to:

 https://....net/demo/rest/data/user?@fields=roles,username&roles=Developer'

only works with the default schema if the user is an admin. If the
user is not an admin, all users in the tracker are returned.

I think the default schema needs to allow any user to search the Roles
attribute of a user to make this work. Also need to make sure that
filtering uses search permissions and not view permissions. I am not
sure if there is a security implication to this.

Another way would be to expose permissions as objects in the rest
interface allowing listing of users with a particular permission.
E.G.

   demo/rest/data/@permission/fixer?@fields=username,responsibilty

to generate a helper table with usernames and a text description of
the responsible sections of the product to aid in choosing the right
person.

The code backing this could access the user with admin privs allowing
the search of roles and return the user list matching the requested
permission. I think this is similar in concept to what the web
interface does.

Quips, comments, evasions, questions, observations or answers?

In message <20190710183624.452734C0317@itserver6.localdomain>,
John Rouillard writes:
>However emulating that with the rest interface isn't possible.
>the rest call to:
>
> https://....net/demo/rest/data/user?@fields=roles,username&roles=Developer'
>
>only works with the default schema if the user is an admin. If the
>user is not an admin, all users in the tracker are returned.
>
>I think the default schema needs to allow any user to search the Roles
>attribute of a user to make this work.

I tried this and it does seem to work. The demo user (non-admin) gets
the proper list of users. The roles field is not shown except for the
demo user itself since demo has no view access to other's roles.

>Also need to make sure that filtering uses search permissions and not
>view permissions.

It does use search perms (which default to view perms).

>I am not sure if there is a security implication to this.

Still not sure. It would be possible to find out who is an admin even
though no web view would disclose that info. Is this a signifcant
problem if we have rate limiting of login (password guessing) attempts
in place?

I documented adding a new rest endpoint to the tracker
(using interfaces.py) to allow access. It creates
a url like:

  .../rest/data/@permission/Developer

see doc/rest.txt rev:5843:da1f40b5148d for details.

So we have a solution via adding search permission that
can leak other perms and a solution that doesn't leak other
perms.

Closing.

On Wed, Jul 10, 2019 at 06:36:26PM +0000, John Rouillard wrote:
> I expect the rest API to be used for user selection helpers (seen in
> the web interface with the "(list)" link).
> 
> This can require selecting users with a particular role.  An example
> in the customization document discusses limiting people who can be
> assigned to an issue.  To do this, assign the new role Developer to
> the user.  Then use this role to filter people with appropriate
> permission check e.g. fixer.
> 
> However emulating that with the rest interface isn't possible.
> the rest call to:
> 
>  https://....net/demo/rest/data/user?@fields=roles,username&roles=Developer'
> 
> only works with the default schema if the user is an admin. If the
> user is not an admin, all users in the tracker are returned.

You may want to set View (or only Search) permissions for user.roles in
your tracker for some.

I don't think that we want this as a general default. Per default,
currently, normal users (role 'User') may not see roles.

> I think the default schema needs to allow any user to search the Roles
> attribute of a user to make this work. Also need to make sure that
> filtering uses search permissions and not view permissions. I am not
> sure if there is a security implication to this.

I think I fixed the check for filtering to use Search permissions at
some point but I may remember this wrongly.

> Another way would be to expose permissions as objects in the rest
> interface allowing listing of users with a particular permission.
> E.G.
> 
>    demo/rest/data/@permission/fixer?@fields=username,responsibilty
> 
> to generate a helper table with usernames and a text description of
> the responsible sections of the product to aid in choosing the right
> person.

Yes, that would be cool.
I think the API currently permits to get a printable list of all
permissions, I made a user.roles.html template that displays these
permissions -- same as reported by the command-line
  'roundup-admin -i /path/to/tracker security'

So you could use that admin function and format as JSON.

Ralf
-- 
Dr. Ralf Schlatterbeck                  Tel:   +43/2243/26465-16
Open Source Consulting                  www:   http://www.runtux.com
Reichergasse 131, A-3411 Weidling       email: office@runtux.com