We have multiple instances of SonarQube like Enterprise 10.3 and Community as well 9.9.1 for different needs. We have a utility that pulls project, metrics, etc. information from these instances periodically for governance using different SonarQube APIs.
Is there a way to pull the list of projects for a user using a user token that has access to all projects, users, etc.? Like I may have 10k projects in one SonarQube instance and let’s say I have 500 users. So, for a given user, how many projects does that user have access to? For example, if one user has access to 10 projects then I’d need to get names of those 10 projects if I pass his email address to the API.
I have the email address of the user against which I need to get the list of projects. I tried to figure out the flow from SonarQube UI, but as soon as we login to SonarQube, we get an XSRF token and that token identifies the logged-in user. And this token is later used to get the list of projects.
However, in our case, we have a list of users (email addresses), and through API, we need to get the list of projects for a given email address.
If anyone has solved a similar challenge then please do let me know.
While sometimes users are explicitly granted to an individual user, most of the time they are granted via access to a specific group (or because the projects are public, and anybody who can login to the instance can see them).
Without being logged into the instance as the user, it would be hard to get that list. No endpoint exposes project access via implicit permissions.
Can you detail a bit more what you’ll use this info for?
In our case, we have multiple SonarQube instances (different servers with a separate administration, projects, users, etc. - you can consider separate instances per geo region just for example) and want our users to add certain information to their projects. However, the issue is that the user can see the project but cannot edit it directly because the project was created by some x person and now y cannot edit the metadata of the project like project information, etc. Only the creator of the project has right to do that or the admin of the instance.
So, we have a utility that allows our users to log in, select their server, and just add content in a text box. Then we simply know how to add that information to the user project, and we add that via API call. We have a token that has permission to add that information to any project on that server. However, the issue is, that we cannot authorize the user in our utility.
For example, user A who has access to project A (only) can say I want to add “xxxx” to project B. But in reality, he may not have access to Project B. But our utility is not smart enough to know which projects user A has access to, and if Project B exists on that server then the utility will simply add that information to Project B.
So we want to know which projects a user has access to so that we can put some sort of validation.
Does that help to understand the use case?
That sounds… complicated.
If you can do so securely, maybe you can accept a user token of the user who is making the request so that you can do the API lookup while authenticated as that user.
yeah, I know this is a little complicated when we added authorization into the equation.
Asking for the user to enter the token as well and then use that token to add information can be challenging because then we will need to educate users to generate a token in the first place.
But, thank you for the advise, that can be a solution.
If you have any other comments then please let us know.