Defect #8626

Setting status via API fails silently

Added by Bevan Rudge over 10 years ago. Updated over 2 years ago.

Status:ConfirmedStart date:2011-06-16
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:REST API
Target version:-
Resolution: Affected version:1.1.3

Description

When a user attempts to set the status_id of an issue, but does not have permission to do so, Redmine's API does not respond with an error. The status is not updated, yet the response still indicates success.

I tested this with Admin user on a fresh instance of Redmine, where Admin was not a member of the project.

#8625 is related.


Related issues

Related to Redmine - Defect #10233: "update issue" silently ignores "status" field if the use... Confirmed

History

#1 Updated by Go MAEDA over 2 years ago

  • Status changed from New to Confirmed

I have confirmed the issue.

The user rhill tried to update the status of an issue in a public project which he is not a member. The issue was not updated because he is not a member of the project and no workflow is defined for him. However, the API returned "204 No Content".

$ curl --user rhill:foo -v -H "Content-Type: application/json" -X PUT --data '{"issue": {"status_id": 3}}' http://redmine-trunk.test/issues/1.json
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to redmine-trunk.test (127.0.0.1) port 80 (#0)
* Server auth using Basic with user 'rhill'
> PUT /issues/1.json HTTP/1.1
> Host: redmine-trunk.test
> Authorization: Basic cmhpbGw6Zm9v
> User-Agent: curl/7.54.0
> Accept: */*
> Content-Type: application/json
> Content-Length: 27
>
* upload completely sent off: 27 out of 27 bytes
< HTTP/1.1 204 No Content
< X-Frame-Options: SAMEORIGIN
< X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< X-Download-Options: noopen
< X-Permitted-Cross-Domain-Policies: none
< Referrer-Policy: strict-origin-when-cross-origin
< Cache-Control: no-cache
< X-Request-Id: 41d85ba5-74ed-4f36-b91b-b5b291ea83b5
< X-Runtime: 0.086406
< Date: Sat, 08 Jun 2019 04:33:47 GMT
< Connection: close
<
* Closing connection 0

#2 Updated by Go MAEDA 11 months ago

  • Related to Defect #10233: "update issue" silently ignores "status" field if the user is not part of the project, but changes other fields added

Also available in: Atom PDF