On 2010-12-22 1:07, Christian Hammond wrote:
On Tue, Dec 21, 2010 at 6:18 PM, Oz Linden (Scott Lawrence)
Yes, a direct REST api that returned the url for a name would certainly be
Do you plan to make it possible to require authentication for the REST apis
in 1.6? I'm currently running my server with anonymous access disabled
because enabling anon access made the REST query apis open.
What parts are you wanting to hide?
I have not done a comprehensive audit of what I can get ... I just noted
that I could do an anonymous query of all the users including addresses
and decided this was a bad idea.
I can absolutely see hiding user information (definitely the full
e-mail address, maybe partly the full name) and maybe the group e-mail
address when the user accessing it is anonymous. I don't know that
blocking the entire API is useful, though, if you're allowing
anonymous access to the site anyway.
The general idea is that an anonymous user should not be able to see
anything through the REST API that they couldn't see on the HTML UI.
Want to help the Review Board project? Donate today at
Happy user? Let us know at http://www.reviewboard.org/users/
To unsubscribe from this group, send email to
For more options, visit this group at