New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.
Starred by 1 user

Issue metadata

Status: Released
Last visit > 30 days ago
Closed: Feb 2016

Sign in to add a comment

Any registered user should have access to use the account username REST endpoint

Project Member Reported by, Jan 11 2016

Issue description

Affected Version: 2.11+

What steps will reproduce the problem?

1. execute the accounts REST endpoint with a registered user account to get username of another account:
  curl --digest --user $user1:$user1_http_password http://localhost:8080/a/accounts/$user2/username
  result is: "not allowed to get username"

The code in gerrit-server/src/main/java/com/google/gerrit/server/account/ says that users need canAdministrateSever access to view another accounts username which doesn't make sense since this info is freely available for any user from the Gerrit UI and from the account details endpoint[1]. 

What is the expected output? What do you see instead?
Any registered gerrit user should be able to access another user's username.

[2] curl --digest --user $user1:$user1_http_password http://localhost:8080/a/accounts/$user2/deail

Project Member

Comment 1 by, Jan 11 2016

SGTM. GetAccount and GetDetail already give access to the username, name, and preferred email.
Project Member

Comment 2 by, Jan 11 2016

Other account attributes:

Guarded by Administrate Server: capabilities, preferences.diff, preferences, password.http
Guarded by Modify Accounts: preferences.edit, emails, sshkeys
Only viewable by self: starred.changes

Bugs: preferences.* should probably be guarded by Modify Accounts instead of Administrate Server. emails should be public ( issue 3754 ).
Project Member

Comment 3 by, Jan 11 2016

Status: ChangeUnderReview
proposed fixes:
Project Member

Comment 4 by, Feb 5 2016

Labels: FixedIn-2.13
Status: Submitted
Project Member

Comment 5 by, Sep 22 2016

Status: Released (was: Submitted)

Sign in to add a comment