Project

General

Profile

Actions

Defect #19276

closed

Creating new issues with invalid project_id should return 422 instead of 403 error

Added by hironemu @ almost 10 years ago. Updated over 9 years ago.

Status:
Closed
Priority:
Normal
Category:
REST API
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:
Resolution:
Fixed
Affected version:

Description

Hi,

The following REST request worked fine in Redmine 2.6.0:

$ curl -v -H "Content-Type: application/xml" -X POST --data "@test.xml"  -u test:testpass https://example.com/issues.xml

test.xml
<?xml version="1.0" encoding="ISO-8859-1" ?>
<issue>
  <subject>test</subject>
  <project_id>test_project</project_id>
  <tracker_id>6</tracker_id>
  <description>test</description>
</issue>

Since upgrading to Redmine 3.0.0 the server responds with a HTTP 403 Forbidden.
I don't change user's role or other permissions.


Related issues

Related to Redmine - Feature #1003: Allow "New Issue" from anywhereClosed2008-04-05

Actions
Related to Redmine - Defect #23766: API : creating issues with project identifier no longer possibleClosedJean-Philippe Lang

Actions
Has duplicate Redmine - Defect #20119: REST API: setting project_id in issue not accepted in Redmine 3.0.3Closed

Actions
Actions #1

Updated by Jean-Philippe Lang almost 10 years ago

  • Status changed from New to Closed
  • Resolution set to Wont fix

As you can see on the API documentation, the project_id attribute must be the numeric id of the project.

Actions #2

Updated by Aron Rotteveel almost 10 years ago

That is actually not true. This has always worked. I am also getting 403's after upgrading. As your linked API documentation states:

project_id: get issues from the project with the given id, where id is either project id or project identifier.
Actions #4

Updated by Toshi MARUYAMA almost 10 years ago

  • Status changed from Closed to New
  • Resolution deleted (Wont fix)
Actions #5

Updated by Alex Last almost 10 years ago

same here. I installed Redmine 3.0.0 to our test server and tried running Redmine Java API tests against it:

com.taskadapter.redmineapi.NotAuthorizedException: Forbidden. Please check the user has proper permissions.

this worked fine with all previous Redmine versions.

Actions #6

Updated by Alex Last almost 10 years ago

was "project key" requirement changed to "project numeric ID" somewhere between 2.6.2 and 3.0.0 releases? if yes, can we document this on REST Issue page in Wiki?

Actions #7

Updated by Alex Last almost 10 years ago

and one other thing: if project ID cannot be parsed then there should be a proper error returned to clients, not "forbidden" - that one is totally misleading.

Actions #8

Updated by Jean-Philippe Lang almost 10 years ago

  • Subject changed from Creating new issues through REST API 403 in Redmine 3.0.0 to Creating new issues with invalid project_id results in 403 error
  • Target version set to Candidate for next minor release

Aron Rotteveel wrote:

That is actually not true. This has always worked. I am also getting 403's after upgrading. As your linked API documentation states:

Project identifier can be used as a filter and even if it used to work, it was never supposed to be used as a project_id value when creating an issue, as you can see in the api tests: source:/trunk/test/integration/api_test/issues_test.rb or in the curl example. It's consistent with other API endpoints that take a project id (project.parent_id and time_entry.project_id) and consistent with API responses. The API doc should be updated.

and one other thing: if project ID cannot be parsed then there should be a proper error returned to clients, not "forbidden" - that one is totally misleading.

A 422 response would be a better option indeed.

Actions #9

Updated by Jean-Philippe Lang almost 10 years ago

  • Subject changed from Creating new issues with invalid project_id results in 403 error to Creating new issues with invalid project_id should return 422 instead of 403 error
  • Status changed from New to Resolved
  • Assignee set to Jean-Philippe Lang
  • Target version changed from Candidate for next minor release to 3.0.2
  • Resolution set to Fixed
Actions #10

Updated by Jean-Philippe Lang almost 10 years ago

  • Status changed from Resolved to Closed
Actions #11

Updated by Alexander Muthmann over 9 years ago

Note: the documentation still states

project_id: get issues from the project with the given id, where id is either project id or project identifier

which is quite confusing.

Actions #12

Updated by Go MAEDA over 9 years ago

  • Has duplicate Defect #20119: REST API: setting project_id in issue not accepted in Redmine 3.0.3 added
Actions #13

Updated by Go MAEDA over 9 years ago

Alexander Muthmann wrote:

Note: the documentation still states
[...]
which is quite confusing.

Thanks for pointing it out. I have fixed the document.

project_id: get issues from the project with the given id (a numeric value, not a project identifier).

Actions #14

Updated by Mischa The Evil over 9 years ago

  • Related to Feature #1003: Allow "New Issue" from anywhere added
Actions #15

Updated by Go MAEDA about 8 years ago

  • Related to Defect #23766: API : creating issues with project identifier no longer possible added
Actions

Also available in: Atom PDF