Accessing Versioned Settings Config Requires “Edit Project” Permission
I have a use case where I need to read the Versioned Settings configuration of a TeamCity project via the REST API in order to determine metadata such as the effective settings path in VCS.
This is currently done through the endpoint:
/app/rest/projects/{locator}/versionedSettings/configCurrent Behavior
When the REST call is executed using a user or access token that has read-only project permissions (for example, Project Viewer–level access), TeamCity returns:
403 Forbidden
AuthorizationFailedException: User has no permissions to edit project.This happens even though the operation is read-only and does not attempt to modify any project configuration.
Granting a higher-privileged role that includes editing project settings resolves the issue and allows the request to succeed.
The Problem
Requiring edit-level project permissions for a read-only REST operation creates several challenges:
- It forces integrations and automation tools to request elevated privileges beyond what is strictly necessary.
- It conflicts with the principle of least privilege, especially in security-sensitive environments.
- It makes it difficult to safely expose project metadata to external systems that only need read access.
Expected Behavior
I would expect the Versioned Settings configuration to be retrievable with read-only project permissions, since the REST call:
- does not modify project configuration
- only returns metadata about existing settings
Alternatively, if elevated permissions are intentionally required, this requirement should be:
- clearly documented, and
- justified by a security or architectural constraint.
Questions
-
Is requiring Edit Project permission for
/app/rest/projects/{locator}/versionedSettings/configintended behavior/by design, or a limitation/bug?
- If this is intentional, what is the security rationale for treating this read operation as a configuration-editing permission?
- Is there a read-only REST endpoint or alternative approach to retrieve the same Versioned Settings metadata without requiring edit-level permissions?
Thank you for your assistance.
Please sign in to leave a comment.
Hi,
Thank you for reaching out. Based on my understanding, this is expected behavior.
The REST endpoint is treated internally as part of project configuration management, rather than as a general read-only metadata endpoint. As a result, it requires Edit Project / Project Admin permissions and is not accessible to users or access tokens with read-only (Project Viewer–level) permissions.
This permission requirement is consistent with the TeamCity UI behavior, where Project Settings (including Versioned Settings) are not visible to users without edit-level access.
Although the operation itself is read-only, Versioned Settings are considered sensitive project configuration data.
As a result, there is currently no dedicated read-only REST API endpoint that exposes Versioned Settings metadata (such as the effective settings path in VCS) to users with Project Viewer–level permissions.
As a workaround, we recommend using a dedicated related user (access token) with Edit Project permissions, scoped only to the required projects and used exclusively for automation or integration purposes.