Uploaded image for project: 'SonarQube'
  1. SonarQube
  2. SONAR-7874

Restrict anonymous access for some WS

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 5.6.1, 6.0
    • Component/s: Web API
    • Labels:

      Description

      The following WS are all accessible anonymously where they should be partially or fully protected against anonymous access:

      • /api/users/search
        • Currently, "Administer System permission is required to show the 'groups' field."
        • We should extend this filtering: when accessed anonymously, this WS should return only:
          • login
          • name
      • /api/user_groups/search
        • Currently, it is accessible anonymously: there's no valid reason for this (this is used only for admin features)
        • We should restrict access to logged in users

        Attachments

          Activity

            People

            Assignee:
            julien.lancelot Julien Lancelot
            Reporter:
            fabrice.bellingard Fabrice Bellingard
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Due:
              Created:
              Updated:
              Resolved: