I expect the rest API to be used for user selection helpers (seen in
the web interface with the "(list)" link).

This can require selecting users with a particular role.  An example
in the customization document discusses limiting people who can be
assigned to an issue.  To do this, assign the new role Developer to
the user.  Then use this role to filter people with appropriate
permission check e.g. fixer.

However emulating that with the rest interface isn't possible.
the rest call to:

 https://....net/demo/rest/data/user?@fields=roles,username&roles=Developer'

only works with the default schema if the user is an admin. If the
user is not an admin, all users in the tracker are returned.

I think the default schema needs to allow any user to search the Roles
attribute of a user to make this work. Also need to make sure that
filtering uses search permissions and not view permissions. I am not
sure if there is a security implication to this.

Another way would be to expose permissions as objects in the rest
interface allowing listing of users with a particular permission.
E.G.

   demo/rest/data/@permission/fixer?@fields=username,responsibilty

to generate a helper table with usernames and a text description of
the responsible sections of the product to aid in choosing the right
person.

The code backing this could access the user with admin privs allowing
the search of roles and return the user list matching the requested
permission. I think this is similar in concept to what the web
interface does.

Quips, comments, evasions, questions, observations or answers?