https://www.redmine.org/
https://www.redmine.org/favicon.ico?1679302129
2017-04-07T08:07:18Z
Redmine
Redmine - Defect #25296: RestAPI doesn't allow anonymous account registration but web interface does.
https://www.redmine.org/issues/25296?journal_id=77842
2017-04-07T08:07:18Z
Toshi MARUYAMA
<ul><li><strong>Category</strong> set to <i>REST API</i></li></ul>
Redmine - Defect #25296: RestAPI doesn't allow anonymous account registration but web interface does.
https://www.redmine.org/issues/25296?journal_id=102375
2021-05-10T02:21:14Z
Ko Nagase
<ul><li><strong>File</strong> <a href="/attachments/27333">settings_self-registration_except_disabled.png</a> <a class="icon-only icon-download" title="Download" href="/attachments/download/27333/settings_self-registration_except_disabled.png">settings_self-registration_except_disabled.png</a> added</li></ul><p>When <code>Self-registration</code> value is not "disabled", the following Rest API POST request creates the account with locked or activated status as <code>text/html</code> format.<br /><img src="https://www.redmine.org/attachments/download/27333/settings_self-registration_except_disabled.png" alt="" /></p>
<pre>
$ curl -i -H "Content-Type: application/json" -X POST http://localhost:3000/account/register.json \
-d '{"user": {"login": "XXXXX", "firstname": "YY", "lastname": "ZZZZZZ", "mail": "XXXXX@example.com", "password": "************"}}'
HTTP/1.1 302 Found
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
X-Download-Options: noopen
X-Permitted-Cross-Domain-Policies: none
Referrer-Policy: strict-origin-when-cross-origin
Location: http://localhost:3000/my/account
Content-Type: text/html; charset=utf-8
Cache-Control: no-cache
Set-Cookie: _redmine_session=********...; path=/; HttpOnly
X-Request-Id: ********...
X-Runtime: 0.027633
Content-Length: 98
<html><body>You are being <a href="http://localhost:3000/my/account">redirected</a>.</body></html>
</pre>
<p>The following GET request also returns error message as <code>text/html</code> format, so I think that both should return JSON format when specifying `/account/register.json`.<br /><pre>
$ curl -i -H "Content-Type: application/json" http://localhost:3000/account/register.json
HTTP/1.1 406 Not Acceptable
Content-Type: text/html; charset=utf-8
X-Request-Id: e0c96a76-32c6-44ce-afe7-066c86e218de
X-Runtime: 0.144548
Content-Length: 105021
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>Action Controller: Exception caught</title>
:
</pre></p>