On Sat, Oct 17, 2020 at 11:49 PM ikedam <
iked...@gmail.com> wrote:
> REST API looks expected to use to expose configurations, that is, to expose static attributes rather than calculated results.
Not really. There is an export API from builds (`Run.getApi`), for
example, which is clearly dynamic.
> REST API is accessible from users with Item/READ permissions. The current version of extensible-choice expose calculated values only to users with Item/BUILD or Item/CONFIGURE permissions.
If there is some security reason to restrict information, simply guard
the `@Exported` getter with a `hasPermission` call, returning an empty
result for users without permission.
Note that this would affect other uses of the getter, which is usually
what you want: the caller is either internal, running as `ACL.SYSTEM`,
or is actually part of an authenticated request, in which case the
permission check is appropriate. If you really must retain the
original behavior, add a new getter with an arbitrary name which is
marked `@Restricted(DoNotUse.class) @Exported(name =
"originalPropertyName")` and does the permission check.