Defect #15427

REST API POST and PUT broken

Added by Marco Descher over 7 years ago. Updated over 7 years ago.

Status:ClosedStart date:
Priority:UrgentDue date:
Assignee:Jean-Philippe Lang% Done:

0%

Category:REST API
Target version:2.4.1
Resolution:Fixed Affected version:2.4.0

Description

I could re-verify the behavior documented in #15424 for PUT requests. An update shows the same error message, as a POST request.
This effectively makes the REST API read-only.

The POST requests have been re-tested in 2.3.3, and there they do work!

Related issues

Related to Redmine - Defect #11797: Using the API logs out my browser session Closed
Duplicated by Redmine - Defect #15453: Redmine-Java-API - POST/Put stopped working from android ... Closed
Duplicated by Redmine - Defect #15424: Filter chain halted as :verify_authenticity_token rendere... Closed

Associated revisions

Revision 12311
Added by Jean-Philippe Lang over 7 years ago

Fixed that non-GET API requests respond with 422 (#15427).

Revision 12312
Added by Jean-Philippe Lang over 7 years ago

Merged r12311 (#15427).

History

#1 Updated by Marco Descher over 7 years ago

Adding the line

skip_before_filter :verify_authenticity_token

to the respective controller (e.g. for Users the file app/controllers/users_controller.rb) removes the problem. Wouldn't the correct solution be to verify the authenticity_token only in case of webbrowser based access?

#2 Updated by Marco Descher over 7 years ago

I could track down the changeset that seems to make the problem https://bitbucket.org/redmine/redmine-trunk/commits/b823653c220c8a7f32e321b39d0bdc5f85b4689f

#3 Updated by Marco Descher over 7 years ago

Removing lines 39-42 of above mentioned patch, makes POST and PUT usable again.

#4 Updated by Jean-Philippe Lang over 7 years ago

  • Status changed from New to Confirmed
  • Target version set to 2.4.1

#5 Updated by Jean-Philippe Lang over 7 years ago

  • Status changed from Confirmed to Resolved
  • Assignee set to Jean-Philippe Lang
  • Resolution set to Fixed

Fixed in r12311, a test with token verification turned on (off by default in tests) is now present. The fix will be included in 2.4.1 that will be released tomorrow. Thanks for pointing this out.

#6 Updated by Jean-Philippe Lang over 7 years ago

  • Duplicated by Defect #15453: Redmine-Java-API - POST/Put stopped working from android application added

#7 Updated by Jean-Philippe Lang over 7 years ago

  • Duplicated by Defect #15424: Filter chain halted as :verify_authenticity_token rendered or redirected added

#8 Updated by Jean-Philippe Lang over 7 years ago

  • Status changed from Resolved to Closed

Merged.

#9 Updated by Toshi MARUYAMA over 7 years ago

  • Description updated (diff)

#10 Updated by Go MAEDA almost 3 years ago

  • Related to Defect #11797: Using the API logs out my browser session added

Also available in: Atom PDF