Content
View differences
Updated by Jonas Heinrich (Finn) almost 12 years ago
**Reproduction**
1. Log into your browser as a user that is not allowed to edit any project
2. call https://www.openproject.org/api/v2/custom\_fields.xml (substitute openproject.org with your instance)
**Expected**
- You can retrieve the list of custom fields
- You can only see custom\_fields that are used in projects you are able to see (i.e. all custom fields that you can already know form the web-UI)
**Actual**
It is not possible to see any custom fields at all (HTTP 403) because it is neccessary to be allowed to edit at least one project to be able to list custom fields.
The actual behavior is problematic, because it is <s>not possible</s> very hard to retrieve the name of a custom field for non-privileged users.
When you call the [index-action for planning elements](https://www.openproject.org/api/v2/projects/openproject/planning_elements.xml) you only get to know the ID of the custom fields for all the custom field values, e.g.
<cf_1>Time Tracking</cf_1>
<cf_4>3.0.0pre44</cf_4>
<cf_5>3.0.0pre38</cf_5>
This is **critical** as IDR wants to synchronize Custom Fields between MyProject 4.0 and the Project Task Connector. The only API available on MyProject 4.0 is APIv2. Therefore a fix needs to find its way into **Release 3.0**.
1. Log into your browser as a user that is not allowed to edit any project
2. call https://www.openproject.org/api/v2/custom\_fields.xml (substitute openproject.org with your instance)
**Expected**
- You can retrieve the list of custom fields
- You can only see custom\_fields that are used in projects you are able to see (i.e. all custom fields that you can already know form the web-UI)
**Actual**
It is not possible to see any custom fields at all (HTTP 403) because it is neccessary to be allowed to edit at least one project to be able to list custom fields.
The actual behavior is problematic, because it is <s>not possible</s> very hard to retrieve the name of a custom field for non-privileged users.
When you call the [index-action for planning elements](https://www.openproject.org/api/v2/projects/openproject/planning_elements.xml) you only get to know the ID of the custom fields for all the custom field values, e.g.
<cf_1>Time Tracking</cf_1>
<cf_4>3.0.0pre44</cf_4>
<cf_5>3.0.0pre38</cf_5>
This is **critical** as IDR wants to synchronize Custom Fields between MyProject 4.0 and the Project Task Connector. The only API available on MyProject 4.0 is APIv2. Therefore a fix needs to find its way into **Release 3.0**.