API: No way to determine which users have access to a board when all_access is false
#2526
Unanswered
adamdill
asked this question in
Ideas and Issue Triage
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
API: No way to determine which users have access to a board when
all_accessisfalseSummary
The board object returned by the API includes an
all_accessboolean field, but whenall_accessisfalse(i.e. the board has limited user access), there's no API endpoint to retrieve which users actually have access to that board.Current behavior
GET /{account_id}/usersreturns all active users in the accountGET /{account_id}/boards/{board_id}returns the board object withall_access: true|falseall_accessistrue, you can infer that all account users have accessall_accessisfalse, there is no way via the API to determine which users are allowed on that boardExpected behavior
There should be a way to retrieve the users who have access to a specific board. A few possible approaches:
GET /{account_id}/boards/{board_id}/users— returns the list of users with access to the boardusersarray to the board JSON whenall_accessisfalseGET /{account_id}/users?board_id={board_id}— filter the account users list by board accessWhy this matters
For any integration that needs to respect board-level access control — assigning cards, building user pickers scoped to a board, syncing permissions with external tools — you currently can't tell who is allowed where. The internal data model already supports this (AGENTS.md references "Board-level access control via Access records"), so this would be a matter of exposing what's already there.
Additional context
Of the three approaches, I'd lean toward (1) — a dedicated
/{account_id}/boards/{board_id}/usersendpoint. Modeling board-user access as its own resource opens the door for future REST operations likePOSTto grant a user access to a board orDELETEto revoke it, rather than having to manage access through a less discoverable side channel.Happy to help with a PR if there's a preferred approach.
Beta Was this translation helpful? Give feedback.
All reactions