Content
View differences
Updated by Deleted user over 12 years ago
A The API hides users that do not share projects with the requesting user.
While this prevents crawling / dumping users, a legitimate API request on a user contributing in a public project (one of the users is not member of) produces an empty result.
**Actual Behaviour**
The API hides users that do not share projects with the requesting user. This is intended to prevent dumping or crawling all users.
The client legitimately expects the user to exist and crashes.
**Expected Behaviour**
\- To be designated -
If this behaviour is considered correct, the Clients will have to be adjusted to handle “invisible” users.
**Reproduction**
\- Given a public project where neither user A nor user B is member
\- Given a workpackage created by A in the project
\- Request the Project via the API as user B, user A’s ID will be referenced
\- Request user A to resolve the ID
\-\> empty result set
(Occured on preview.openproject.org with project OpenProject, requesting user p.siegler, requested user tiger stone)
While this prevents crawling / dumping users, a
**Actual Behaviour**
The API hides users that do not share projects with the requesting user. This is intended to prevent dumping or crawling all users.
The client legitimately expects the user to exist and crashes.
**Expected Behaviour**
\- To be designated -
If this behaviour is considered correct, the Clients will have to be adjusted to handle “invisible” users.
**Reproduction**
\- Given a public project where neither user A nor user B is member
\- Given a workpackage created by A in the project
\- Request the Project via the API as user B, user A’s ID will be referenced
\- Request user A to resolve the ID
\-\> empty result set
(Occured on preview.openproject.org with project OpenProject, requesting user p.siegler, requested user tiger stone)