Downloading other users Timeslips


#1

I have noticed that a user with permission level 4 can no longer download other user’s timeslips.
The same query successfully retrieves other users timeslips when ran using a token obtained from a permission level 8 user, the same query when ran using a token from a permission level 4 user returns an empty JSON array.

Query is as follows:
https://api.freeagent.com/v2/timeslips?user=123456&from_date=2017-08-01&per_page=100

This was working yesterday, there does not appear to be any API update or change announcements on the forum so i am not sure what is going on here?

Thanks,
Chris


#2

Also, if this is due to a change to the API to stop level 4 users from downloading other users timeslips, just returning an empty result set is misleading as it suggests that there is no data when in fact there is but you are not allowed to download it.

Instead the API should return a 401 unauthorised error and a helpful JSON error response describing the issue.


#3

Just found this:


Presumably this change only affected timeslip queries that did not specify a user filter as i could still get other users timeslips using a level 4 user’s access token until last week.

Looks like the change that occurred in that thread was also another example of the many undocumented and unannounced API changes that i have seen posted about on this forum.


#4

Hi, Chris.

I’m really sorry about the trouble this has caused. As you found in the previous thread, this should not have been working for you. You must have level 7 or 8 permissions in order to view other user’s timeslips. If it was working at some point between the January thread and now, that was the bug and we fixed it. I’m digging through the code to see if I can figure out where this occurred. But know that I do apologize.

As for it returning an empty array, you raise a good point and I’ll bring it up with the team as to how we want to handle this sort of behavior.

Please note that we do make the best of efforts to announce any changes we make the API. But we also don’t always announce bug fixes such as making permissions behave the way they are documented in the app. We are sorry when that causes issues but using undocumented or unintentional API behavior is subject to unannounced change.

Kind regards,

Pat