New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user

Issue metadata

Status: Released
Last visit > 30 days ago
Closed: Jan 2016

Sign in to add a comment

View All Accounts permission does not allow accounts rest endpoint to access email info

Project Member Reported by, Jan 8 2016

Issue description

Affected Version: 2.11 and master

What steps will reproduce the problem?
1. execute the accounts REST endpoint with a registered user account to list emails of another account:
  curl --digest --user $user1:$user1_http_password http://localhost:8080/a/accounts/$user2/emails
  result is: "not allowed to list email addresses"

2. As administrator goto Projects->list->All-Projects
    Add global capability 'View All Accounts : Registered Users'

3. execute account api in step 1 again.

What is the expected output? What do you see instead?
I would expect that setting  'View All Accounts : Registered Users' would allow all registered users to view email info on another user. 

Please provide any additional information below.
    Add global capability 'Modify Account : Registered Users' will work but I don't think that's the right permission for this.

Project Member

Comment 1 by, Jan 8 2016


Comment 2 by, Jan 8 2016

View All Accounts is about whether the user can see and interact with the other account at all. See
Project Member

Comment 3 by, Jan 8 2016

@ jmieder, sorry but i'm not exactly sure what you are trying to convey.  I don't want to make any assumptions so could you please expand?
Project Member

Comment 4 by, Jan 8 2016

Sorry for the lack of clarity. What I meant is that this is intended behavior (except the documentation can probably be improved).
Project Member

Comment 5 by, Jan 8 2016

Then I guess I don't understand the difference between modify account and view all accounts.  From reading the docs I assumed the following:

 modify account - groups assigned this permission can modify any other user account info.
 view all accounts - groups assigned this permission can view any other user account info but not modify it.

Why would a user need modify account permission to view another user's email info?

Project Member

Comment 6 by, Jan 8 2016

Status: ChangeUnderReview
proposed fix:
Project Member

Comment 7 by, Jan 14 2016

Status: Submitted
Project Member

Comment 8 by, Aug 9 2016

Labels: FixedIn-2.13
Project Member

Comment 9 by, Sep 22 2016

Status: Released (was: Submitted)
401 KB View Download
20.9 KB View Download

Sign in to add a comment