Content
View differences
Updated by Hagen Schink over 12 years ago
A legitimate API request on a user contributing in a public project (one of the users is not member of) produces an empty result.
**Actual Behaviour**
The API hides users that do not share projects with the requesting user. This is intended to prevent dumping or crawling all users.
Note it is possible to crawl all users via the users-pages in the web frontend, if these are not disabled.
The client legitimately expects the user to exist and crashes.
**Expected Behaviour**
\- To be designated -
If this behaviour is considered correct, the Clients will have to be adjusted to handle “invisible” users.
**Reproduction**
\- Given a public project where neither user A nor user B is member
\- Given a workpackage created by A in the project
\- Request the Project via the API as user B, user A’s ID will be referenced
\- Request user A to resolve the ID
\-\> empty result set
(Occured on preview.openproject.org with project OpenProject, requesting user p.siegler, requested user tiger stone)
**Actual Behaviour**
The API hides users that do not share projects with the requesting user. This is intended to prevent dumping or crawling all users.
Note it is possible to crawl all users via the users-pages in the web frontend, if these are not disabled.
The client legitimately expects the user to exist and crashes.
**Expected Behaviour**
\- To be designated -
If this behaviour is considered correct, the Clients will have to be adjusted to handle “invisible” users.
**Reproduction**
\- Given a public project where neither user A nor user B is member
\- Given a workpackage created by A in the project
\- Request the Project via the API as user B, user A’s ID will be referenced
\- Request user A to resolve the ID
\-\> empty result set
(Occured on preview.openproject.org with project OpenProject, requesting user p.siegler, requested user tiger stone)