Message6581
On Wed, Jul 10, 2019 at 06:36:26PM +0000, John Rouillard wrote:
> I expect the rest API to be used for user selection helpers (seen in
> the web interface with the "(list)" link).
>
> This can require selecting users with a particular role. An example
> in the customization document discusses limiting people who can be
> assigned to an issue. To do this, assign the new role Developer to
> the user. Then use this role to filter people with appropriate
> permission check e.g. fixer.
>
> However emulating that with the rest interface isn't possible.
> the rest call to:
>
> https://....net/demo/rest/data/user?@fields=roles,username&roles=Developer'
>
> only works with the default schema if the user is an admin. If the
> user is not an admin, all users in the tracker are returned.
You may want to set View (or only Search) permissions for user.roles in
your tracker for some.
I don't think that we want this as a general default. Per default,
currently, normal users (role 'User') may not see roles.
> I think the default schema needs to allow any user to search the Roles
> attribute of a user to make this work. Also need to make sure that
> filtering uses search permissions and not view permissions. I am not
> sure if there is a security implication to this.
I think I fixed the check for filtering to use Search permissions at
some point but I may remember this wrongly.
> Another way would be to expose permissions as objects in the rest
> interface allowing listing of users with a particular permission.
> E.G.
>
> demo/rest/data/@permission/fixer?@fields=username,responsibilty
>
> to generate a helper table with usernames and a text description of
> the responsible sections of the product to aid in choosing the right
> person.
Yes, that would be cool.
I think the API currently permits to get a printable list of all
permissions, I made a user.roles.html template that displays these
permissions -- same as reported by the command-line
'roundup-admin -i /path/to/tracker security'
So you could use that admin function and format as JSON.
Ralf
--
Dr. Ralf Schlatterbeck Tel: +43/2243/26465-16
Open Source Consulting www: http://www.runtux.com
Reichergasse 131, A-3411 Weidling email: office@runtux.com |
|
Date |
User |
Action |
Args |
2019-07-22 14:52:10 | schlatterbeck | set | recipients:
+ schlatterbeck, rouilj |
2019-07-22 14:52:10 | schlatterbeck | link | issue2551050 messages |
2019-07-22 14:52:10 | schlatterbeck | create | |
|