Creating new issues with invalid project_id should return 422 instead of 403 error
|Assignee:||Jean-Philippe Lang||% Done:|
The following REST request worked fine in Redmine 2.6.0:
$ curl -v -H "Content-Type: application/xml" -X POST --data "@test.xml" -u test:testpass https://example.com/issues.xml
<?xml version="1.0" encoding="ISO-8859-1" ?> <issue> <subject>test</subject> <project_id>test_project</project_id> <tracker_id>6</tracker_id> <description>test</description> </issue>
Since upgrading to Redmine 3.0.0 the server responds with a HTTP 403 Forbidden.
I don't change user's role or other permissions.
API: creating an issue with an invalid project_id should return 422 instead of 403 (#19276).
#5 Updated by Alex Last almost 2 years ago
same here. I installed Redmine 3.0.0 to our test server and tried running Redmine Java API tests against it:
com.taskadapter.redmineapi.NotAuthorizedException: Forbidden. Please check the user has proper permissions.
this worked fine with all previous Redmine versions.
#8 Updated by Jean-Philippe Lang almost 2 years ago
- Subject changed from Creating new issues through REST API 403 in Redmine 3.0.0 to Creating new issues with invalid project_id results in 403 error
- Target version set to Candidate for next minor release
Aron Rotteveel wrote:
That is actually not true. This has always worked. I am also getting 403's after upgrading. As your linked API documentation states:
Project identifier can be used as a filter and even if it used to work, it was never supposed to be used as a project_id value when creating an issue, as you can see in the api tests: source:/trunk/test/integration/api_test/issues_test.rb or in the curl example. It's consistent with other API endpoints that take a project id (project.parent_id and time_entry.project_id) and consistent with API responses. The API doc should be updated.
and one other thing: if project ID cannot be parsed then there should be a proper error returned to clients, not "forbidden" - that one is totally misleading.
A 422 response would be a better option indeed.
#9 Updated by Jean-Philippe Lang almost 2 years ago
- Subject changed from Creating new issues with invalid project_id results in 403 error to Creating new issues with invalid project_id should return 422 instead of 403 error
- Status changed from New to Resolved
- Assignee set to Jean-Philippe Lang
- Target version changed from Candidate for next minor release to 3.0.2
- Resolution set to Fixed