Defect #19276
Creating new issues with invalid project_id should return 422 instead of 403 error
Status: | Closed | Start date: | ||
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | % Done: | 0% | ||
Category: | REST API | |||
Target version: | 3.0.2 | |||
Resolution: | Fixed | Affected version: | 3.0.0 |
Description
Hi,
The following REST request worked fine in Redmine 2.6.0:
$ curl -v -H "Content-Type: application/xml" -X POST --data "@test.xml" -u test:testpass https://example.com/issues.xml
test.xml
<?xml version="1.0" encoding="ISO-8859-1" ?> <issue> <subject>test</subject> <project_id>test_project</project_id> <tracker_id>6</tracker_id> <description>test</description> </issue>
Since upgrading to Redmine 3.0.0 the server responds with a HTTP 403 Forbidden.
I don't change user's role or other permissions.
Related issues
Associated revisions
API: creating an issue with an invalid project_id should return 422 instead of 403 (#19276).
Don't render the issue form if issue.project is nil (#19276).
History
#1
Updated by Jean-Philippe Lang almost 6 years ago
- Status changed from New to Closed
- Resolution set to Wont fix
As you can see on the API documentation, the project_id attribute must be the numeric id of the project.
#2
Updated by Aron Rotteveel almost 6 years ago
That is actually not true. This has always worked. I am also getting 403's after upgrading. As your linked API documentation states:
project_id: get issues from the project with the given id, where id is either project id or project identifier.
#4
Updated by Toshi MARUYAMA almost 6 years ago
- Status changed from Closed to New
- Resolution deleted (
Wont fix)
#5
Updated by Alex Last almost 6 years ago
same here. I installed Redmine 3.0.0 to our test server and tried running Redmine Java API tests against it:
com.taskadapter.redmineapi.NotAuthorizedException: Forbidden. Please check the user has proper permissions.
this worked fine with all previous Redmine versions.
#6
Updated by Alex Last almost 6 years ago
was "project key" requirement changed to "project numeric ID" somewhere between 2.6.2 and 3.0.0 releases? if yes, can we document this on REST Issue page in Wiki?
#7
Updated by Alex Last almost 6 years ago
and one other thing: if project ID cannot be parsed then there should be a proper error returned to clients, not "forbidden" - that one is totally misleading.
#8
Updated by Jean-Philippe Lang almost 6 years ago
- Subject changed from Creating new issues through REST API 403 in Redmine 3.0.0 to Creating new issues with invalid project_id results in 403 error
- Target version set to Candidate for next minor release
Aron Rotteveel wrote:
That is actually not true. This has always worked. I am also getting 403's after upgrading. As your linked API documentation states:
Project identifier can be used as a filter and even if it used to work, it was never supposed to be used as a project_id value when creating an issue, as you can see in the api tests: source:/trunk/test/integration/api_test/issues_test.rb or in the curl example. It's consistent with other API endpoints that take a project id (project.parent_id and time_entry.project_id) and consistent with API responses. The API doc should be updated.
and one other thing: if project ID cannot be parsed then there should be a proper error returned to clients, not "forbidden" - that one is totally misleading.
A 422 response would be a better option indeed.
#9
Updated by Jean-Philippe Lang almost 6 years ago
- Subject changed from Creating new issues with invalid project_id results in 403 error to Creating new issues with invalid project_id should return 422 instead of 403 error
- Status changed from New to Resolved
- Assignee set to Jean-Philippe Lang
- Target version changed from Candidate for next minor release to 3.0.2
- Resolution set to Fixed
#10
Updated by Jean-Philippe Lang almost 6 years ago
- Status changed from Resolved to Closed
#11
Updated by Alexander Muthmann over 5 years ago
Note: the documentation still states
project_id: get issues from the project with the given id, where id is either project id or project identifier
which is quite confusing.
#12
Updated by Go MAEDA over 5 years ago
- Duplicated by Defect #20119: REST API: setting project_id in issue not accepted in Redmine 3.0.3 added
#13
Updated by Go MAEDA over 5 years ago
Alexander Muthmann wrote:
Note: the documentation still states
[...]
which is quite confusing.
Thanks for pointing it out. I have fixed the document.
project_id: get issues from the project with the given id (a numeric value, not a project identifier).
#14
Updated by Mischa The Evil over 5 years ago
- Related to Feature #1003: Allow "New Issue" from anywhere added
#15
Updated by Go MAEDA over 4 years ago
- Related to Defect #23766: API : creating issues with project identifier no longer possible added