Message6576
In message <20190710183624.452734C0317@itserver6.localdomain>,
John Rouillard writes:
>However emulating that with the rest interface isn't possible.
>the rest call to:
>
> https://....net/demo/rest/data/user?@fields=roles,username&roles=Developer'
>
>only works with the default schema if the user is an admin. If the
>user is not an admin, all users in the tracker are returned.
>
>I think the default schema needs to allow any user to search the Roles
>attribute of a user to make this work.
I tried this and it does seem to work. The demo user (non-admin) gets
the proper list of users. The roles field is not shown except for the
demo user itself since demo has no view access to other's roles.
>Also need to make sure that filtering uses search permissions and not
>view permissions.
It does use search perms (which default to view perms).
>I am not sure if there is a security implication to this.
Still not sure. It would be possible to find out who is an admin even
though no web view would disclose that info. Is this a signifcant
problem if we have rate limiting of login (password guessing) attempts
in place? |
|
Date |
User |
Action |
Args |
2019-07-11 13:18:40 | rouilj | set | recipients:
+ rouilj |
2019-07-11 13:18:40 | rouilj | link | issue2551050 messages |
2019-07-11 13:18:40 | rouilj | create | |
|