Defect #19276

Creating new issues with invalid project_id should return 422 instead of 403 error

Added by hironemu @ over 7 years ago. Updated over 7 years ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:Jean-Philippe Lang% Done:

0%

Category:REST API
Target version:3.0.2
Resolution:Fixed Affected version:3.0.0

Description

Hi,

The following REST request worked fine in Redmine 2.6.0:

$ curl -v -H "Content-Type: application/xml" -X POST --data "@test.xml"  -u test:testpass https://example.com/issues.xml

test.xml
<?xml version="1.0" encoding="ISO-8859-1" ?>
<issue>
  <subject>test</subject>
  <project_id>test_project</project_id>
  <tracker_id>6</tracker_id>
  <description>test</description>
</issue>

Since upgrading to Redmine 3.0.0 the server responds with a HTTP 403 Forbidden.
I don't change user's role or other permissions.

Related issues

Related to Redmine - Feature #1003: Allow "New Issue" from anywhere Closed 2008-04-05
Related to Redmine - Defect #23766: API : creating issues with project identifier no longer p... Closed
Duplicated by Redmine - Defect #20119: REST API: setting project_id in issue not accepted in Red... Closed

Associated revisions

Revision 14141
Added by Jean-Philippe Lang over 7 years ago

API: creating an issue with an invalid project_id should return 422 instead of 403 (#19276).

Revision 14146
Added by Jean-Philippe Lang over 7 years ago

Don't render the issue form if issue.project is nil (#19276).

Revision 14150
Added by Jean-Philippe Lang over 7 years ago

Merged r14141 and r14146 (#19276).

History

#1 Updated by Jean-Philippe Lang over 7 years ago

  • Status changed from New to Closed
  • Resolution set to Wont fix

As you can see on the API documentation, the project_id attribute must be the numeric id of the project.

#2 Updated by Aron Rotteveel over 7 years ago

That is actually not true. This has always worked. I am also getting 403's after upgrading. As your linked API documentation states:

project_id: get issues from the project with the given id, where id is either project id or project identifier.

#4 Updated by Toshi MARUYAMA over 7 years ago

  • Status changed from Closed to New
  • Resolution deleted (Wont fix)

#5 Updated by Alex Last over 7 years ago

same here. I installed Redmine 3.0.0 to our test server and tried running Redmine Java API tests against it:

com.taskadapter.redmineapi.NotAuthorizedException: Forbidden. Please check the user has proper permissions.

this worked fine with all previous Redmine versions.

#6 Updated by Alex Last over 7 years ago

was "project key" requirement changed to "project numeric ID" somewhere between 2.6.2 and 3.0.0 releases? if yes, can we document this on REST Issue page in Wiki?

#7 Updated by Alex Last over 7 years ago

and one other thing: if project ID cannot be parsed then there should be a proper error returned to clients, not "forbidden" - that one is totally misleading.

#8 Updated by Jean-Philippe Lang over 7 years ago

  • Subject changed from Creating new issues through REST API 403 in Redmine 3.0.0 to Creating new issues with invalid project_id results in 403 error
  • Target version set to Candidate for next minor release

Aron Rotteveel wrote:

That is actually not true. This has always worked. I am also getting 403's after upgrading. As your linked API documentation states:

Project identifier can be used as a filter and even if it used to work, it was never supposed to be used as a project_id value when creating an issue, as you can see in the api tests: source:/trunk/test/integration/api_test/issues_test.rb or in the curl example. It's consistent with other API endpoints that take a project id (project.parent_id and time_entry.project_id) and consistent with API responses. The API doc should be updated.

and one other thing: if project ID cannot be parsed then there should be a proper error returned to clients, not "forbidden" - that one is totally misleading.

A 422 response would be a better option indeed.

#9 Updated by Jean-Philippe Lang over 7 years ago

  • Subject changed from Creating new issues with invalid project_id results in 403 error to Creating new issues with invalid project_id should return 422 instead of 403 error
  • Status changed from New to Resolved
  • Assignee set to Jean-Philippe Lang
  • Target version changed from Candidate for next minor release to 3.0.2
  • Resolution set to Fixed

#10 Updated by Jean-Philippe Lang over 7 years ago

  • Status changed from Resolved to Closed

#11 Updated by Alexander Muthmann over 7 years ago

Note: the documentation still states 

project_id: get issues from the project with the given id, where id is either project id or project identifier

which is quite confusing.

#12 Updated by Go MAEDA over 7 years ago

  • Duplicated by Defect #20119: REST API: setting project_id in issue not accepted in Redmine 3.0.3 added

#13 Updated by Go MAEDA over 7 years ago

Alexander Muthmann wrote:

Note: the documentation still states
[...]
which is quite confusing.

Thanks for pointing it out. I have fixed the document.

project_id: get issues from the project with the given id (a numeric value, not a project identifier).

#14 Updated by Mischa The Evil about 7 years ago

  • Related to Feature #1003: Allow "New Issue" from anywhere added

#15 Updated by Go MAEDA almost 6 years ago

  • Related to Defect #23766: API : creating issues with project identifier no longer possible added

Also available in: Atom PDF