Why do I need admin privileges to list projects using the web API?

I have been experimenting with using the sonar web API as I have many projects to onboard and I would also like to extract metrics from the projects.
After some playing around I think I have most things working. There are two things that puzzle me which I am posting as separate questions / issues.

  1. When I run a query like:

curl -u $SONAR_TOKEN: “https://sonarcloud.io/api/projects/search?organization=MY_ORG
“errors”: [
“msg”: “Insufficient privileges”

It seems from the docs that I need administrator privileges just to get a list of projects:

GET api/projects/search

Search for projects to administrate them.
Requires ‘System Administrator’ permission

I can think of no sane reason for this. Is there one? Why is this API not allowed with the “browse projects” permission?
Is there an alternative API that is?

Without this API it is not possible, for example, to iterate over all projects and pull out metrics of interest like coverage or kloc. I should not need adminstrative privileges to do that.

1 Like

Reverse engineering the API as per How to reverse engineer the Sonar Web API
I find that the user interface (which is obviously capable of listing projects without admin privileges) uses /api/components/search_projects

which does what I need.
This is not documented here - https://sonarcloud.io/web_api/api/projects?deprecated=false

A useful parameter is ‘filter’:


1 Like

Please can you raise an internal issue to improve the documentation.


Thanks for the followup. You had marked this as solved and so we didn’t see the need for anything further.

Perhaps it helps to know that the Web API was crafted exclusively to the service of the UI. That’s why we advise eavesdropping on the UI to master the API. And, transparently, the only goal of the Web API is to draw the UI. If you get direct benefit from it too, that’s gravy.

To perhaps satisfy your curiosity, I believe the projects/search service you tried first was built to populate admin-level pages. Because it must be possible to perform global-level admin on a project even if you don’t have Browse on the project, that service doesn’t provide the same filtering the components/search_projects service you eventually found does. And that’s why the first one requires admin rights and the second one doesn’t. They have different functions for different purposes.

And I’ll forward this to the team in case they want to beef up the API docs. But I’m not going to hold my breath.


P.S. I’m going to un-mark this solved just so it doesn’t confuse anyone.

1 Like