Content
View differences
Updated by Jens Ulferts over 6 years ago
### **Steps to reproduce:**
1. Untick "Authorization required"
2. Using browser where no login information is present access /api/v3/relations/:id
### **Actual Behavior**
Regardless of whether the involved work packages are in public projects or not, the user is able to retrieve the relation including the involved work packages.
Even if the user is logged in and authorization is required, a user is able to retrieve relations for work packages he is not allowed to see and by that see the involved work packages.
### **Expected Behavior**
Only show relations that connect two work packages the requesting user is allowed to see. The `visible` scope will do that.
1. Untick "Authorization required"
2. Using browser where no login information is present access /api/v3/relations/:id
### **Actual Behavior**
Regardless of whether the involved work packages are in public projects or not, the user is able to retrieve the relation including the involved work packages.
Even if the user is logged in and authorization is required, a user is able to retrieve relations for work packages he is not allowed to see and by that see the involved work packages.
### **Expected Behavior**
Only show relations that connect two work packages the requesting user is allowed to see. The `visible` scope will do that.