Monorail Project: gerrit Issues People Development process History Sign in
New issue
Advanced search Search tips
Issue 3754 View All Accounts permission does not allow accounts rest endpoint to access email info
Starred by 1 user Project Member Reported by, Jan 8 2016 Back to list
Status: Released
Closed: Jan 2016

Sign in to add a comment
Affected Version: 2.11 and master

What steps will reproduce the problem?
1. execute the accounts REST endpoint with a registered user account to list emails of another account:
  curl --digest --user $user1:$user1_http_password http://localhost:8080/a/accounts/$user2/emails
  result is: "not allowed to list email addresses"

2. As administrator goto Projects->list->All-Projects
    Add global capability 'View All Accounts : Registered Users'

3. execute account api in step 1 again.

What is the expected output? What do you see instead?
I would expect that setting  'View All Accounts : Registered Users' would allow all registered users to view email info on another user. 

Please provide any additional information below.
    Add global capability 'Modify Account : Registered Users' will work but I don't think that's the right permission for this.

Project Member Comment 1 by, Jan 8 2016
Comment 2 by, Jan 8 2016
View All Accounts is about whether the user can see and interact with the other account at all. See
Project Member Comment 3 by, Jan 8 2016
@ jmieder, sorry but i'm not exactly sure what you are trying to convey.  I don't want to make any assumptions so could you please expand?
Project Member Comment 4 by, Jan 8 2016
Sorry for the lack of clarity. What I meant is that this is intended behavior (except the documentation can probably be improved).
Project Member Comment 5 by, Jan 8 2016
Then I guess I don't understand the difference between modify account and view all accounts.  From reading the docs I assumed the following:

 modify account - groups assigned this permission can modify any other user account info.
 view all accounts - groups assigned this permission can view any other user account info but not modify it.

Why would a user need modify account permission to view another user's email info?

Project Member Comment 6 by, Jan 8 2016
Status: ChangeUnderReview
proposed fix:
Project Member Comment 7 by, Jan 14 2016
Status: Submitted
Project Member Comment 8 by, Aug 9 2016
Labels: FixedIn-2.13
Project Member Comment 9 by, Sep 22
Status: Released
401 KB View Download
20.9 KB View Download
Sign in to add a comment