My favorites | Sign in
Project Home Downloads Wiki Issues Source
New issue   Search
for
  Advanced search   Search tips   Subscriptions
Issue 3754: View All Accounts permission does not allow accounts rest endpoint to access email info
1 person starred this issue and may be notified of changes. Back to list
Status:  ChangeUnderReview
Owner:  zaro0508


Sign in to add a comment
 
Project Member Reported by zaro0508, Jan 7 (2 days ago)
Affected Version: 2.11 and master

What steps will reproduce the problem?
1. execute the accounts REST endpoint with a registered user account to list emails of another account:
  curl --digest --user $user1:$user1_http_password http://localhost:8080/a/accounts/$user2/emails
  result is: "not allowed to list email addresses"

2. As administrator goto Projects->list->All-Projects
    Add global capability 'View All Accounts : Registered Users'

3. execute account api in step 1 again.

What is the expected output? What do you see instead?
I would expect that setting  'View All Accounts : Registered Users' would allow all registered users to view email info on another user. 

Please provide any additional information below.
    Add global capability 'Modify Account : Registered Users' will work but I don't think that's the right permission for this.


Jan 7 (2 days ago)
Project Member #1 zaro0508
(No comment was entered for this change.)
Owner: zaro0508
Jan 7 (2 days ago)
#2 jrnieder
View All Accounts is about whether the user can see and interact with the other account at all. See https://gerrit-review.googlesource.com/Documentation/config-gerrit.html#accounts
Jan 8 (2 days ago)
Project Member #3 zaro0508
@ jmieder, sorry but i'm not exactly sure what you are trying to convey.  I don't want to make any assumptions so could you please expand?
Jan 8 (2 days ago)
Project Member #4 jrn@google.com
Sorry for the lack of clarity. What I meant is that this is intended behavior (except the documentation can probably be improved).
Jan 8 (2 days ago)
Project Member #5 zaro0508
Then I guess I don't understand the difference between modify account and view all accounts.  From reading the docs I assumed the following:

 modify account - groups assigned this permission can modify any other user account info.
 view all accounts - groups assigned this permission can view any other user account info but not modify it.

Why would a user need modify account permission to view another user's email info?

Jan 8 (2 days ago)
Project Member #6 zaro0508
proposed fix: https://gerrit-review.googlesource.com/73639
Status: ChangeUnderReview
Sign in to add a comment

Powered by Google Project Hosting