REST API and tasks visibility
I would like to retrieve all task (assigned or not) which are related to specific users. (These users correspond to the members of my organization).
So I have few questions about the REST API :
Does it returns all tasks visible by the user (user who is contained into the cookie) or all the tasks of the engine ?
If I specified the "assigned_id", tasks which are visible but not assigned are not returned.
If I specify the "assigned_id" with no value, tasks which are visible are returned. But visible by who ?
So the main question is : Do you use the cookie only for authentication or do you use it to "filter" informations returned ?
First question : The request returns all the task from the engine. There isn't any filter on the user connected. If you add a filter on assigned_id, you can't see tasks visible by the user.
Another thing, every user can execute every task through REST API. There isn't any check or something blocking you.
This is a big security problem don't you think ?