New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user
Status: Released
Last visit > 30 days ago
Closed: Feb 2016

Sign in to add a comment
Any registered user should have access to use the account username REST endpoint
Project Member Reported by, Jan 11 2016 Back to list
Affected Version: 2.11+

What steps will reproduce the problem?

1. execute the accounts REST endpoint with a registered user account to get username of another account:
  curl --digest --user $user1:$user1_http_password http://localhost:8080/a/accounts/$user2/username
  result is: "not allowed to get username"

The code in gerrit-server/src/main/java/com/google/gerrit/server/account/ says that users need canAdministrateSever access to view another accounts username which doesn't make sense since this info is freely available for any user from the Gerrit UI and from the account details endpoint[1]. 

What is the expected output? What do you see instead?
Any registered gerrit user should be able to access another user's username.

[2] curl --digest --user $user1:$user1_http_password http://localhost:8080/a/accounts/$user2/deail

Project Member Comment 1 by, Jan 11 2016
SGTM. GetAccount and GetDetail already give access to the username, name, and preferred email.
Project Member Comment 2 by, Jan 11 2016
Other account attributes:

Guarded by Administrate Server: capabilities, preferences.diff, preferences, password.http
Guarded by Modify Accounts: preferences.edit, emails, sshkeys
Only viewable by self: starred.changes

Bugs: preferences.* should probably be guarded by Modify Accounts instead of Administrate Server. emails should be public ( issue 3754 ).
Project Member Comment 3 by, Jan 11 2016
Status: ChangeUnderReview
proposed fixes:
Project Member Comment 4 by, Feb 5 2016
Labels: FixedIn-2.13
Status: Submitted
Project Member Comment 5 by, Sep 22 2016
Status: Released
Sign in to add a comment