API Create issue, Privare repo, Public issue (BB-3043)

Issue #3255 closed
Steve Greenwood
created an issue

When trying to create an issue via the API, the authenticated user needs a minimum of read privilege on the repo in order to create the issue.

When the repo is private, and the issue tracker is public the user should only be required to be authenticated, not to have read access to the repo.

Instead, an http error 401 is returned from the API if the user does not have read access.

Comments (5)

  1. David Chambers

    Are you suggesting that creating an issue on a private repo's public tracker and creating an issue on a public repo's public tracker should be treated differently?

    Before taking action I'd like to understand both the privileges required to create issues in each of the four scenarios, and the thinking behind these rules.

  2. Steve Greenwood reporter

    I have not tested how this works with public repos and public trackers, i would presume that since everybody has read access to public repos, this is not an issue.


    Private repo + Public tracker

    • Via the web interface, a user may create an issue, without having any level of access to the repository.
    • The same user, can not use the API to create an issue, unless the user has a minimum of read access to the repository.

    What I am asking for, is that any user be allowed to create an issue via the API if the issue tracker is public, regardless of their repository access level.

    A nice extension to this, would be to allow for anonymous issue creation via the API as can be achieved through the site.

  3. Dylan Etkin

    I agree that the UI and the API should be consistent.

    We are not really tackling too many API issues ATM but we will try to address this when we are next in the area.



  4. Log in to comment