Defect #15427
closed
REST API POST and PUT broken
Added by Marco Descher about 11 years ago.
Updated almost 11 years ago.
Description
I could re-verify the behavior documented in #15424 for PUT requests. An update shows the same error message, as a POST request.
This effectively makes the REST API read-only.
The POST requests have been re-tested in 2.3.3, and there they do work!
Adding the line
skip_before_filter :verify_authenticity_token
to the respective controller (e.g. for Users the file app/controllers/users_controller.rb) removes the problem. Wouldn't the correct solution be to verify the authenticity_token only in case of webbrowser based access?
Removing lines 39-42 of above mentioned patch, makes POST and PUT usable again.
- Status changed from New to Confirmed
- Target version set to 2.4.1
- Status changed from Confirmed to Resolved
- Assignee set to Jean-Philippe Lang
- Resolution set to Fixed
Fixed in r12311, a test with token verification turned on (off by default in tests) is now present. The fix will be included in 2.4.1 that will be released tomorrow. Thanks for pointing this out.
- Has duplicate Defect #15453: Redmine-Java-API - POST/Put stopped working from android application added
- Has duplicate Defect #15424: Filter chain halted as :verify_authenticity_token rendered or redirected added
- Status changed from Resolved to Closed
- Description updated (diff)
- Related to Defect #11797: Using the API logs out my browser session added
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by Toshi MARUYAMA 
Updated by