Issue 2551050
Created on 2019-07-10 18:36 by rouilj, last changed 2019-07-22 14:52 by schlatterbeck.
Messages | |||
---|---|---|---|
msg6572 | Author: [hidden] (rouilj) | Date: 2019-07-10 18:36 | |
I expect the rest API to be used for user selection helpers (seen in the web interface with the "(list)" link). This can require selecting users with a particular role. An example in the customization document discusses limiting people who can be assigned to an issue. To do this, assign the new role Developer to the user. Then use this role to filter people with appropriate permission check e.g. fixer. However emulating that with the rest interface isn't possible. the rest call to: https://....net/demo/rest/data/user?@fields=roles,username&roles=Developer' only works with the default schema if the user is an admin. If the user is not an admin, all users in the tracker are returned. I think the default schema needs to allow any user to search the Roles attribute of a user to make this work. Also need to make sure that filtering uses search permissions and not view permissions. I am not sure if there is a security implication to this. Another way would be to expose permissions as objects in the rest interface allowing listing of users with a particular permission. E.G. demo/rest/data/@permission/fixer?@fields=username,responsibilty to generate a helper table with usernames and a text description of the responsible sections of the product to aid in choosing the right person. The code backing this could access the user with admin privs allowing the search of roles and return the user list matching the requested permission. I think this is similar in concept to what the web interface does. Quips, comments, evasions, questions, observations or answers? |
|||
msg6576 | Author: [hidden] (rouilj) | Date: 2019-07-11 13:18 | |
In message <20190710183624.452734C0317@itserver6.localdomain>, John Rouillard writes: >However emulating that with the rest interface isn't possible. >the rest call to: > > https://....net/demo/rest/data/user?@fields=roles,username&roles=Developer' > >only works with the default schema if the user is an admin. If the >user is not an admin, all users in the tracker are returned. > >I think the default schema needs to allow any user to search the Roles >attribute of a user to make this work. I tried this and it does seem to work. The demo user (non-admin) gets the proper list of users. The roles field is not shown except for the demo user itself since demo has no view access to other's roles. >Also need to make sure that filtering uses search permissions and not >view permissions. It does use search perms (which default to view perms). >I am not sure if there is a security implication to this. Still not sure. It would be possible to find out who is an admin even though no web view would disclose that info. Is this a signifcant problem if we have rate limiting of login (password guessing) attempts in place? |
|||
msg6577 | Author: [hidden] (rouilj) | Date: 2019-07-12 00:32 | |
I documented adding a new rest endpoint to the tracker (using interfaces.py) to allow access. It creates a url like: .../rest/data/@permission/Developer see doc/rest.txt rev:5843:da1f40b5148d for details. So we have a solution via adding search permission that can leak other perms and a solution that doesn't leak other perms. Closing. |
|||
msg6581 | Author: [hidden] (schlatterbeck) | Date: 2019-07-22 14:52 | |
On Wed, Jul 10, 2019 at 06:36:26PM +0000, John Rouillard wrote: > I expect the rest API to be used for user selection helpers (seen in > the web interface with the "(list)" link). > > This can require selecting users with a particular role. An example > in the customization document discusses limiting people who can be > assigned to an issue. To do this, assign the new role Developer to > the user. Then use this role to filter people with appropriate > permission check e.g. fixer. > > However emulating that with the rest interface isn't possible. > the rest call to: > > https://....net/demo/rest/data/user?@fields=roles,username&roles=Developer' > > only works with the default schema if the user is an admin. If the > user is not an admin, all users in the tracker are returned. You may want to set View (or only Search) permissions for user.roles in your tracker for some. I don't think that we want this as a general default. Per default, currently, normal users (role 'User') may not see roles. > I think the default schema needs to allow any user to search the Roles > attribute of a user to make this work. Also need to make sure that > filtering uses search permissions and not view permissions. I am not > sure if there is a security implication to this. I think I fixed the check for filtering to use Search permissions at some point but I may remember this wrongly. > Another way would be to expose permissions as objects in the rest > interface allowing listing of users with a particular permission. > E.G. > > demo/rest/data/@permission/fixer?@fields=username,responsibilty > > to generate a helper table with usernames and a text description of > the responsible sections of the product to aid in choosing the right > person. Yes, that would be cool. I think the API currently permits to get a printable list of all permissions, I made a user.roles.html template that displays these permissions -- same as reported by the command-line 'roundup-admin -i /path/to/tracker security' So you could use that admin function and format as JSON. Ralf -- Dr. Ralf Schlatterbeck Tel: +43/2243/26465-16 Open Source Consulting www: http://www.runtux.com Reichergasse 131, A-3411 Weidling email: office@runtux.com |
History | |||
---|---|---|---|
Date | User | Action | Args |
2019-07-22 14:52:10 | schlatterbeck | set | nosy:
+ schlatterbeck messages: + msg6581 title: Rest interface can't select users with particular roles. -> Rest interface can't select users with particular roles. [keyword=rest] |
2019-07-12 00:32:09 | rouilj | set | status: new -> fixed priority: normal type: behavior assignee: rouilj components: + Documentation, API versions: + devel messages: + msg6577 resolution: fixed |
2019-07-11 13:18:40 | rouilj | set | messages:
+ msg6576 title: Rest interface can't select users with particular roles. [keyword=rest] -> Rest interface can't select users with particular roles. |
2019-07-11 01:59:38 | rouilj | set | keywords: + rest |
2019-07-10 18:36:26 | rouilj | create |