Hide Forgot
Description of problem: Version-Release number of selected component (if applicable): 4.4 How reproducible: Always Steps to Reproduce: 1. Create a bug and set any flag on it 2. Make call to get bug detail on api [1] with no authentication, include "flags" on include-fields. Be careful to clean cookies if you have already made authenticated call. 3. Check the return present an empty array. 4. Make authentication call and check result now has flags values. Expected results: It took me a while to figure it out "flags" field was not present only for unauthenticated call, once I was explicitly asking for it. Would be more user friendly an error was received stating authenticated call id required to fetch "flags" and any other field for which it is required. PS: I tried to edit first comment to remove sensitive data from it and made it public, but i could not edit it. So I am adding the description of the problem on this public comment
Flags have individual ACLs and we silently filter out flags you can't see. If you set a public flag like needinfo then an unauthenticated user would see that.