Monorail Project: gerrit Issues People Development process History Sign in
New issue
Advanced search Search tips
Issue 3766 Any registered user should have access to use the account username REST endpoint
Starred by 1 user Project Member Reported by zaro0...@gmail.com, Jan 11 2016 Back to list
Status: Released
Owner:
Closed: Feb 2016



Sign in to add a comment
Affected Version: 2.11+

What steps will reproduce the problem?

1. execute the accounts REST endpoint with a registered user account to get username of another account:
  curl --digest --user $user1:$user1_http_password http://localhost:8080/a/accounts/$user2/username
  result is: "not allowed to get username"

The code in gerrit-server/src/main/java/com/google/gerrit/server/account/GetUsername.java says that users need canAdministrateSever access to view another accounts username which doesn't make sense since this info is freely available for any user from the Gerrit UI and from the account details endpoint[1]. 

What is the expected output? What do you see instead?
Any registered gerrit user should be able to access another user's username.

[2] curl --digest --user $user1:$user1_http_password http://localhost:8080/a/accounts/$user2/deail

 
Project Member Comment 1 by jrn@google.com, Jan 11 2016
SGTM. GetAccount and GetDetail already give access to the username, name, and preferred email.
Project Member Comment 2 by jrn@google.com, Jan 11 2016
Other account attributes:

Guarded by Administrate Server: capabilities, preferences.diff, preferences, password.http
Guarded by Modify Accounts: preferences.edit, emails, sshkeys
Only viewable by self: starred.changes

Bugs: preferences.* should probably be guarded by Modify Accounts instead of Administrate Server. emails should be public (issue 3754).
Project Member Comment 3 by zaro0...@gmail.com, Jan 11 2016
Owner: zaro0...@gmail.com
Status: ChangeUnderReview
proposed fixes: 
 https://gerrit-review.googlesource.com/#/c/73800
 https://gerrit-review.googlesource.com/73801
Project Member Comment 4 by ekempin@google.com, Feb 5 2016
Labels: FixedIn-2.13
Status: Submitted
Project Member Comment 5 by huga...@gmail.com, Sep 22
Status: Released
Sign in to add a comment