REST API and tasks visibility

florian.baillagou · 9 March 2015 14:41

Hi,

I would like to retrieve all task (assigned or not) which are related to specific users. (These users correspond to the members of my organization).

So I have few questions about the REST API :

Does it returns all tasks visible by the user (user who is contained into the cookie) or all the tasks of the engine ?
If I specified the “assigned_id”, tasks which are visible but not assigned are not returned.
If I specify the “assigned_id” with no value, tasks which are visible are returned. But visible by who ?

So the main question is : Do you use the cookie only for authentication or do you use it to “filter” informations returned ?

Cheers,

florian.baillagou · 9 March 2015 15:44

Hi,

First question : The request returns all the task from the engine. There isn’t any filter on the user connected. If you add a filter on assigned_id, you can’t see tasks visible by the user.

Another thing, every user can execute every task through REST API. There isn’t any check or something blocking you.

This is a big security problem don’t you think ?

Topic		Replies	Views
How to get all tasks for a user via REST API? Q&A	6	10	28 March 2016
[REST API] How to get task by assigned_id Q&A	0	2	4 June 2018
REST API to get all available task Q&A extensions	3	2	24 May 2023
Getting Task Actor via API REST (BOS 6.X) Q&A	4	1	4 March 2015
REST API get all available, unassigned task using administrator profile Q&A extensions	4	4	17 November 2023

REST API and tasks visibility

Related Topics