Defect #8626

Setting status via API fails silently

Added by Bevan Rudge over 8 years ago. Updated 3 months ago.

Status:ConfirmedStart date:2011-06-16
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:REST API
Target version:-
Resolution: Affected version:1.1.3

Description

When a user attempts to set the status_id of an issue, but does not have permission to do so, Redmine's API does not respond with an error. The status is not updated, yet the response still indicates success.

I tested this with Admin user on a fresh instance of Redmine, where Admin was not a member of the project.

#8625 is related.

History

#1 Updated by Go MAEDA 3 months ago

  • Status changed from New to Confirmed

I have confirmed the issue.

The user rhill tried to update the status of an issue in a public project which he is not a member. The issue was not updated because he is not a member of the project and no workflow is defined for him. However, the API returned "204 No Content".

$ curl --user rhill:foo -v -H "Content-Type: application/json" -X PUT --data '{"issue": {"status_id": 3}}' http://redmine-trunk.test/issues/1.json
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to redmine-trunk.test (127.0.0.1) port 80 (#0)
* Server auth using Basic with user 'rhill'
> PUT /issues/1.json HTTP/1.1
> Host: redmine-trunk.test
> Authorization: Basic cmhpbGw6Zm9v
> User-Agent: curl/7.54.0
> Accept: */*
> Content-Type: application/json
> Content-Length: 27
>
* upload completely sent off: 27 out of 27 bytes
< HTTP/1.1 204 No Content
< X-Frame-Options: SAMEORIGIN
< X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< X-Download-Options: noopen
< X-Permitted-Cross-Domain-Policies: none
< Referrer-Policy: strict-origin-when-cross-origin
< Cache-Control: no-cache
< X-Request-Id: 41d85ba5-74ed-4f36-b91b-b5b291ea83b5
< X-Runtime: 0.086406
< Date: Sat, 08 Jun 2019 04:33:47 GMT
< Connection: close
<
* Closing connection 0

Also available in: Atom PDF