Project

General

Profile

Actions

Defect #19276

closed

Creating new issues with invalid project_id should return 422 instead of 403 error

Added by hironemu @ about 9 years ago. Updated over 8 years ago.

Status:
Closed
Priority:
Normal
Category:
REST API
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed
Affected version:

Description

Hi,

The following REST request worked fine in Redmine 2.6.0:

$ curl -v -H "Content-Type: application/xml" -X POST --data "@test.xml"  -u test:testpass https://example.com/issues.xml

test.xml
<?xml version="1.0" encoding="ISO-8859-1" ?>
<issue>
  <subject>test</subject>
  <project_id>test_project</project_id>
  <tracker_id>6</tracker_id>
  <description>test</description>
</issue>

Since upgrading to Redmine 3.0.0 the server responds with a HTTP 403 Forbidden.
I don't change user's role or other permissions.


Related issues

Related to Redmine - Feature #1003: Allow "New Issue" from anywhereClosed2008-04-05

Actions
Related to Redmine - Defect #23766: API : creating issues with project identifier no longer possibleClosedJean-Philippe Lang

Actions
Has duplicate Redmine - Defect #20119: REST API: setting project_id in issue not accepted in Redmine 3.0.3Closed

Actions
Actions #1

Updated by Jean-Philippe Lang about 9 years ago

  • Status changed from New to Closed
  • Resolution set to Wont fix

As you can see on the API documentation, the project_id attribute must be the numeric id of the project.

Actions #2

Updated by Aron Rotteveel about 9 years ago

That is actually not true. This has always worked. I am also getting 403's after upgrading. As your linked API documentation states:

project_id: get issues from the project with the given id, where id is either project id or project identifier.
Actions #4

Updated by Toshi MARUYAMA about 9 years ago

  • Status changed from Closed to New
  • Resolution deleted (Wont fix)
Actions #5

Updated by Alex Last about 9 years ago

same here. I installed Redmine 3.0.0 to our test server and tried running Redmine Java API tests against it:

com.taskadapter.redmineapi.NotAuthorizedException: Forbidden. Please check the user has proper permissions.

this worked fine with all previous Redmine versions.

Actions #6

Updated by Alex Last about 9 years ago

was "project key" requirement changed to "project numeric ID" somewhere between 2.6.2 and 3.0.0 releases? if yes, can we document this on REST Issue page in Wiki?

Actions #7

Updated by Alex Last about 9 years ago

and one other thing: if project ID cannot be parsed then there should be a proper error returned to clients, not "forbidden" - that one is totally misleading.

Actions #8

Updated by Jean-Philippe Lang about 9 years ago

  • Subject changed from Creating new issues through REST API 403 in Redmine 3.0.0 to Creating new issues with invalid project_id results in 403 error
  • Target version set to Candidate for next minor release

Aron Rotteveel wrote:

That is actually not true. This has always worked. I am also getting 403's after upgrading. As your linked API documentation states:

Project identifier can be used as a filter and even if it used to work, it was never supposed to be used as a project_id value when creating an issue, as you can see in the api tests: source:/trunk/test/integration/api_test/issues_test.rb or in the curl example. It's consistent with other API endpoints that take a project id (project.parent_id and time_entry.project_id) and consistent with API responses. The API doc should be updated.

and one other thing: if project ID cannot be parsed then there should be a proper error returned to clients, not "forbidden" - that one is totally misleading.

A 422 response would be a better option indeed.

Actions #9

Updated by Jean-Philippe Lang almost 9 years ago

  • Subject changed from Creating new issues with invalid project_id results in 403 error to Creating new issues with invalid project_id should return 422 instead of 403 error
  • Status changed from New to Resolved
  • Assignee set to Jean-Philippe Lang
  • Target version changed from Candidate for next minor release to 3.0.2
  • Resolution set to Fixed
Actions #10

Updated by Jean-Philippe Lang almost 9 years ago

  • Status changed from Resolved to Closed
Actions #11

Updated by Alexander Muthmann almost 9 years ago

Note: the documentation still states

project_id: get issues from the project with the given id, where id is either project id or project identifier

which is quite confusing.

Actions #12

Updated by Go MAEDA over 8 years ago

  • Has duplicate Defect #20119: REST API: setting project_id in issue not accepted in Redmine 3.0.3 added
Actions #13

Updated by Go MAEDA over 8 years ago

Alexander Muthmann wrote:

Note: the documentation still states
[...]
which is quite confusing.

Thanks for pointing it out. I have fixed the document.

project_id: get issues from the project with the given id (a numeric value, not a project identifier).

Actions #14

Updated by Mischa The Evil over 8 years ago

  • Related to Feature #1003: Allow "New Issue" from anywhere added
Actions #15

Updated by Go MAEDA over 7 years ago

  • Related to Defect #23766: API : creating issues with project identifier no longer possible added
Actions

Also available in: Atom PDF