On Sat, Oct 17, 2020 at 11:49 PM ikedam <[email protected]> wrote: > REST API looks expected to use to expose configurations, that is, to expose > static attributes rather than calculated results.
Not really. There is an export API from builds (`Run.getApi`), for example, which is clearly dynamic. > REST API is accessible from users with Item/READ permissions. The current > version of extensible-choice expose calculated values only to users with > Item/BUILD or Item/CONFIGURE permissions. If there is some security reason to restrict information, simply guard the `@Exported` getter with a `hasPermission` call, returning an empty result for users without permission. Note that this would affect other uses of the getter, which is usually what you want: the caller is either internal, running as `ACL.SYSTEM`, or is actually part of an authenticated request, in which case the permission check is appropriate. If you really must retain the original behavior, add a new getter with an arbitrary name which is marked `@Restricted(DoNotUse.class) @Exported(name = "originalPropertyName")` and does the permission check. -- You received this message because you are subscribed to the Google Groups "Jenkins Developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-dev/CANfRfr1J_NKoZbkQdOnQ9Qfknc7-3fR%3DAKWLHUadiGV3%3DHzuLg%40mail.gmail.com.
