Uploaded image for project: 'SonarQube'
  1. SonarQube
  2. SONAR-7874

Restrict anonymous access for some WS

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 5.6.1, 6.0
    • Component/s: Web API
    • Labels:

      Description

      The following WS are all accessible anonymously where they should be partially or fully protected against anonymous access:

      • /api/users/search
        • Currently, "Administer System permission is required to show the 'groups' field."
        • We should extend this filtering: when accessed anonymously, this WS should return only:
          • login
          • name
      • /api/user_groups/search
        • Currently, it is accessible anonymously: there's no valid reason for this (this is used only for admin features)
        • We should restrict access to logged in users

        Attachments

          Activity

            People

            • Assignee:
              julien.lancelot Julien Lancelot
              Reporter:
              fabrice.bellingard Fabrice Bellingard
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Due:
                Created:
                Updated:
                Resolved: