Defect #13268

Invalid assignments possible when using REST API

Added by Phillip Wieser almost 10 years ago.

Status:NewStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:REST API
Target version:-
Resolution: Affected version:2.2.3

Description

Technology stack:
(Bitnami with Redmine 2.2.3-0-ubuntu-12.04 in VMWare Player)

Environment:
Redmine version 2.2.3.stable
Ruby version 1.9.3 (x86_64-linux)
Rails version 3.2.12
Environment production
Database adapter Mysql2
Redmine plugins:
no plugin installed

Using REST API (XML) with curl

Description:
Several invalid field values can be submitted which result in invalid assignments. For example, a category of "3" can be set, even though this category does not exist. Also, a negative integer value can be set. For example, "-3".

This applies to the following fields:
Category_id, fixed_version_id, assigned_to_id.

Expected result:
Invalid assignments are not possible and an error message is thrown

Also available in: Atom PDF