Defect #19276
closedCreating new issues with invalid project_id should return 422 instead of 403 error
0%
Description
Hi,
The following REST request worked fine in Redmine 2.6.0:
$ curl -v -H "Content-Type: application/xml" -X POST --data "@test.xml" -u test:testpass https://example.com/issues.xml
test.xml
<?xml version="1.0" encoding="ISO-8859-1" ?> <issue> <subject>test</subject> <project_id>test_project</project_id> <tracker_id>6</tracker_id> <description>test</description> </issue>
Since upgrading to Redmine 3.0.0 the server responds with a HTTP 403 Forbidden.
I don't change user's role or other permissions.
Related issues
Updated by Jean-Philippe Lang almost 10 years ago
- Status changed from New to Closed
- Resolution set to Wont fix
As you can see on the API documentation, the project_id attribute must be the numeric id of the project.
Updated by Aron Rotteveel almost 10 years ago
That is actually not true. This has always worked. I am also getting 403's after upgrading. As your linked API documentation states:
project_id: get issues from the project with the given id, where id is either project id or project identifier.
Updated by Toshi MARUYAMA almost 10 years ago
- Status changed from Closed to New
- Resolution deleted (
Wont fix)
Updated by Alex Last almost 10 years ago
same here. I installed Redmine 3.0.0 to our test server and tried running Redmine Java API tests against it:
com.taskadapter.redmineapi.NotAuthorizedException: Forbidden. Please check the user has proper permissions.
this worked fine with all previous Redmine versions.
Updated by Alex Last almost 10 years ago
was "project key" requirement changed to "project numeric ID" somewhere between 2.6.2 and 3.0.0 releases? if yes, can we document this on REST Issue page in Wiki?
Updated by Alex Last almost 10 years ago
and one other thing: if project ID cannot be parsed then there should be a proper error returned to clients, not "forbidden" - that one is totally misleading.
Updated by Jean-Philippe Lang almost 10 years ago
- Subject changed from Creating new issues through REST API 403 in Redmine 3.0.0 to Creating new issues with invalid project_id results in 403 error
- Target version set to Candidate for next minor release
Aron Rotteveel wrote:
That is actually not true. This has always worked. I am also getting 403's after upgrading. As your linked API documentation states:
Project identifier can be used as a filter and even if it used to work, it was never supposed to be used as a project_id value when creating an issue, as you can see in the api tests: source:/trunk/test/integration/api_test/issues_test.rb or in the curl example. It's consistent with other API endpoints that take a project id (project.parent_id and time_entry.project_id) and consistent with API responses. The API doc should be updated.
and one other thing: if project ID cannot be parsed then there should be a proper error returned to clients, not "forbidden" - that one is totally misleading.
A 422 response would be a better option indeed.
Updated by Jean-Philippe Lang almost 10 years ago
- Subject changed from Creating new issues with invalid project_id results in 403 error to Creating new issues with invalid project_id should return 422 instead of 403 error
- Status changed from New to Resolved
- Assignee set to Jean-Philippe Lang
- Target version changed from Candidate for next minor release to 3.0.2
- Resolution set to Fixed
Updated by Jean-Philippe Lang almost 10 years ago
- Status changed from Resolved to Closed
Updated by Alexander Muthmann over 9 years ago
Note: the documentation still states
project_id: get issues from the project with the given id, where id is either project id or project identifier
which is quite confusing.
Updated by Go MAEDA over 9 years ago
- Has duplicate Defect #20119: REST API: setting project_id in issue not accepted in Redmine 3.0.3 added
Updated by Go MAEDA over 9 years ago
Alexander Muthmann wrote:
Note: the documentation still states
[...]
which is quite confusing.
Thanks for pointing it out. I have fixed the document.
project_id: get issues from the project with the given id (a numeric value, not a project identifier).
Updated by Mischa The Evil over 9 years ago
- Related to Feature #1003: Allow "New Issue" from anywhere added
Updated by Go MAEDA about 8 years ago
- Related to Defect #23766: API : creating issues with project identifier no longer possible added