REST API and tasks visibility

Submitted by florian.baillagou on Mon, 03/09/2015 - 15:41

Hi,

I would like to retrieve all task (assigned or not) which are related to specific users. (These users correspond to the members of my organization).

So I have few questions about the REST API :

Does it returns all tasks visible by the user (user who is contained into the cookie) or all the tasks of the engine ?
If I specified the "assigned_id", tasks which are visible but not assigned are not returned.
If I specify the "assigned_id" with no value, tasks which are visible are returned. But visible by who ?

So the main question is : Do you use the cookie only for authentication or do you use it to "filter" informations returned ?

Cheers,

Log in or register to post comments
1306 reads

1 answer

Submitted by florian.baillagou on Mon, 03/09/2015 - 16:44

Hi,

First question : The request returns all the task from the engine. There isn't any filter on the user connected. If you add a filter on assigned_id, you can't see tasks visible by the user.

Another thing, every user can execute every task through REST API. There isn't any check or something blocking you.

This is a big security problem don't you think ?

Log in or register to post comments
273 reads