Roundup Tracker - Issues

Message6581

Author schlatterbeck
Recipients rouilj, schlatterbeck
Date 2019-07-22.14:52:10
Message-id <20190722145208.x5vkgi42bpfykr3e@runtux.com>
In-reply-to <20190710183624.452734C0317@itserver6.localdomain>
On Wed, Jul 10, 2019 at 06:36:26PM +0000, John Rouillard wrote:
> I expect the rest API to be used for user selection helpers (seen in
> the web interface with the "(list)" link).
> 
> This can require selecting users with a particular role.  An example
> in the customization document discusses limiting people who can be
> assigned to an issue.  To do this, assign the new role Developer to
> the user.  Then use this role to filter people with appropriate
> permission check e.g. fixer.
> 
> However emulating that with the rest interface isn't possible.
> the rest call to:
> 
>  https://....net/demo/rest/data/user?@fields=roles,username&roles=Developer'
> 
> only works with the default schema if the user is an admin. If the
> user is not an admin, all users in the tracker are returned.

You may want to set View (or only Search) permissions for user.roles in
your tracker for some.

I don't think that we want this as a general default. Per default,
currently, normal users (role 'User') may not see roles.

> I think the default schema needs to allow any user to search the Roles
> attribute of a user to make this work. Also need to make sure that
> filtering uses search permissions and not view permissions. I am not
> sure if there is a security implication to this.

I think I fixed the check for filtering to use Search permissions at
some point but I may remember this wrongly.

> Another way would be to expose permissions as objects in the rest
> interface allowing listing of users with a particular permission.
> E.G.
> 
>    demo/rest/data/@permission/fixer?@fields=username,responsibilty
> 
> to generate a helper table with usernames and a text description of
> the responsible sections of the product to aid in choosing the right
> person.

Yes, that would be cool.
I think the API currently permits to get a printable list of all
permissions, I made a user.roles.html template that displays these
permissions -- same as reported by the command-line
  'roundup-admin -i /path/to/tracker security'

So you could use that admin function and format as JSON.

Ralf
-- 
Dr. Ralf Schlatterbeck                  Tel:   +43/2243/26465-16
Open Source Consulting                  www:   http://www.runtux.com
Reichergasse 131, A-3411 Weidling       email: office@runtux.com
History
Date User Action Args
2019-07-22 14:52:10schlatterbecksetrecipients: + schlatterbeck, rouilj
2019-07-22 14:52:10schlatterbecklinkissue2551050 messages
2019-07-22 14:52:10schlatterbeckcreate