API leaks information about private wiki and issue tracker (BB-9521)

Issue #8368 closed
Ville Saalo
created an issue

The repositories API reports that a repository has an issue tracker even if the tracker is private and it's an unauthenticated party making the request. Same goes for the wiki.

Example: https://bitbucket.org/api/1.0/repositories/ZeroOne3010/simple-rss-parser says "has_issues": true, whereas you cannot see the issue tracker when looking at the corresponding web page: https://bitbucket.org/ZeroOne3010/simple-rss-parser

I would expect the API to report that no issue tracker or wiki is present unless the requested actually has an access to them. It even says in the issue tracker and wiki settings, under the 'Private' option, that they are "visible only to people who have repository access".

Comments (4)

  1. Log in to comment