View Revisions: Issue #26893

Summary 0026893: APIs expose private attachments to users who has access to issue but not private notes
Revision 2020-04-19 17:48 by vboctor
Description

This applies to both SOAP and REST API.

Impacted REST APIs:

  • {{url}}/api/rest/issues/:issue_id
  • {{url}}/api/rest/issues/:issue_id/files
  • {{url}}/api/rest/issues/:issue_id/files/:file_id

Note that the UI enforced access checks correctly since the attachments were grouped with the private notes and the private notes were not rendered.

Revision 2020-04-19 17:40 by vboctor
Description

This applies to both SOAP and REST API.

Note that the UI enforced access checks correctly.

Revision 2020-04-19 17:39 by vboctor
Description

This applies to both SOAP and REST API.