Bug #18636
closedmake "relations" visible to unauth'd Redmine API clients
0%
Description
I have to use my "ken.dreyer" Redmine account to look up relations for a ticket using the REST API.
For example this works:
curl -v -H 'X-Redmine-API-Key: foobar' http://tracker.ceph.com/issues/17858/relations.json
This does not (HTTP 403 error):
curl -v http://tracker.ceph.com/issues/17858/relations.json
The information is already public via the web UI (see http://tracker.ceph.com/issues/17858/), and it appears that it's only the REST API that is restricted in this way.
Can we disable this requirement in Redmine's settings somehow?
Updated by David Galloway over 7 years ago
- Category set to Infrastructure Service
- Status changed from New to In Progress
- Assignee set to David Galloway
I'm looking into this
Updated by David Galloway over 7 years ago
- Status changed from In Progress to Need More Info
This doesn't appear to be a configurable setting. In the Admin settings, the REST API is either on or off. Individual trackers don't have separate API settings.
Based on the API docs, auth is required: https://www.redmine.org/projects/redmine/wiki/Rest_api
Updated by Ken Dreyer about 7 years ago
- Status changed from Need More Info to Closed
Thanks for looking into this. I read the docs and found that I can just tack on ?include=relations
to the unauthenticated API request, and it works fine.