1. Andreas Purde Avatar Andreas Purde
  2. Untitled project
  3. tree-view
  4. Issues

Can you make the getTreeWatches REST call open to logged in users?

Issue #15 closed
Alex YASUREK created an issue

Hi,

I was wondering if there was a possibility of making this rest call open to regular signed in users and not just admins:

/rest/treeviewrest/1.0/getTreeWatches?username=xyz

Reason is I am creating a page in our theme where users can go in and view page trees they are watching. Problem I am running into is that I can only get the pagetrees they are watching if I am signed in as my admin account. As soon as I sign in as a normal user I get 403 errors.

Do you think it would be possible to have this rest call open to normal users so when the page loads the rest call can be made as the currently signed in user? I can fill in the username parameter with the currently signed in user.

Thanks

Comments (9)

  1. Andreas Purde repo owner

    Dear Alex,

    thank you for your request. So you want /rest/treeviewrest/1.0/getTreeWatches (without username) returning the tree watches of the calling user? That should be possible.

    Kind regards, Andreas

  3. Alex YASUREK reporter

    HI,

    Yes I am just looking to be able to retrieve all the page tree watches as the currently signed in user, even if they are not admins.

    This call will still work because I can get the currently signed in user's username: /rest/treeviewrest/1.0/getTreeWatches?username=xyz but the problem is the currently signed in user is not an admin so the ajax call responds with 403.

    I looked over the code and saw that its the permission check below thats the issue: @GET @Produces({MediaType.APPLICATION_JSON, MediaType.APPLICATION_XML}) @Path("/getTreeWatches") public Response getTreeWatches(@QueryParam("username") String username) {

        // action only allowed for admins
    if(!permissionMan.isConfluenceAdministrator(AuthenticatedUserThreadLocal.get())) {  <------- this line is causing the issue 
        return Response.status(Status.FORBIDDEN).build();
    }

    Thanks for responding so quickly.

  4. Andreas Purde repo owner

    Dear Alex,

    this check has been implemented to prevent a non admin to see tree views of another user. I'll implement a new REST endpoint to allow any user to get his tree watches.

    Kind regards, Andreas

  6. Andreas Purde repo owner

    Dear Alex,

    would you mind testing that the version 1.4.2 from the download section meets your requirements. The end point would be:

    /rest/treeviewrest/1.0/getMyTreeWatches

    It returns all tree watches of the calling user in the same format as getTreeWatches.

    Andreas

  7. Alex YASUREK reporter

    HI,

    Unfortunately when I try to install it I am getting "An unexpected error occurred" messages. I even tried uninstalling 1.4.1. and then installed 1.4.2 and still got that error.

    Update: I was able to finally installed it so I will test it out now.

    Thanks

  8. Alex YASUREK reporter

    HI,

    Seems to be working like I need it to now. I signed in as a normal user and was able to see all the page trees that user is watching. Any idea when you will be pushing this change to the market place? I did all this testing on our staging instance but for production I rather update it through the market place in case I run into issues updating it like it did with the jar file.

    Thanks a lot again.

  9. Andreas Purde repo owner

    Dear Alex,

    I release 1.4.2 to the market place. Thank you for the positive review.

    Kind regards, Andreas

  10. Log in to comment
Assignee
Type
enhancement
Priority
blocker
Status
closed
Votes
0
Watchers
2
Jira: the preferred issue tracker for Bitbucket. Join the team!