In message <20190710183624.452734C0317@itserver6.localdomain>,
John Rouillard writes:
>However emulating that with the rest interface isn't possible.
>the rest call to:
>
> https://....net/demo/rest/data/user?@fields=roles,username&roles=Developer'
>
>only works with the default schema if the user is an admin. If the
>user is not an admin, all users in the tracker are returned.
>
>I think the default schema needs to allow any user to search the Roles
>attribute of a user to make this work.

I tried this and it does seem to work. The demo user (non-admin) gets
the proper list of users. The roles field is not shown except for the
demo user itself since demo has no view access to other's roles.

>Also need to make sure that filtering uses search permissions and not
>view permissions.

It does use search perms (which default to view perms).

>I am not sure if there is a security implication to this.

Still not sure. It would be possible to find out who is an admin even
though no web view would disclose that info. Is this a signifcant
problem if we have rate limiting of login (password guessing) attempts
in place?