Defect #19276
closed
Creating new issues with invalid project_id should return 422 instead of 403 error
Added by hironemu @ over 9 years ago.
Updated over 9 years ago.
Description
Hi,
The following REST request worked fine in Redmine 2.6.0:
$ curl -v -H "Content-Type: application/xml" -X POST --data "@test.xml" -u test:testpass https://example.com/issues.xml
test.xml
<?xml version="1.0" encoding="ISO-8859-1" ?>
<issue>
<subject>test</subject>
<project_id>test_project</project_id>
<tracker_id>6</tracker_id>
<description>test</description>
</issue>
Since upgrading to Redmine 3.0.0 the server responds with a HTTP 403 Forbidden.
I don't change user's role or other permissions.
- Status changed from New to Closed
- Resolution set to Wont fix
As you can see on the API documentation, the project_id attribute must be the numeric id of the project.
That is actually not true. This has always worked. I am also getting 403's after upgrading. As your linked API documentation states:
project_id: get issues from the project with the given id, where id is either project id or project identifier.
- Status changed from Closed to New
- Resolution deleted (
Wont fix)
same here. I installed Redmine 3.0.0 to our test server and tried running Redmine Java API tests against it:
com.taskadapter.redmineapi.NotAuthorizedException: Forbidden. Please check the user has proper permissions.
this worked fine with all previous Redmine versions.
was "project key" requirement changed to "project numeric ID" somewhere between 2.6.2 and 3.0.0 releases? if yes, can we document this on REST Issue page in Wiki?
and one other thing: if project ID cannot be parsed then there should be a proper error returned to clients, not "forbidden" - that one is totally misleading.
- Subject changed from Creating new issues through REST API 403 in Redmine 3.0.0 to Creating new issues with invalid project_id results in 403 error
- Target version set to Candidate for next minor release
Aron Rotteveel wrote:
That is actually not true. This has always worked. I am also getting 403's after upgrading. As your linked API documentation states:
Project identifier can be used as a filter and even if it used to work, it was never supposed to be used as a project_id value when creating an issue, as you can see in the api tests: source:/trunk/test/integration/api_test/issues_test.rb or in the curl example. It's consistent with other API endpoints that take a project id (project.parent_id and time_entry.project_id) and consistent with API responses. The API doc should be updated.
and one other thing: if project ID cannot be parsed then there should be a proper error returned to clients, not "forbidden" - that one is totally misleading.
A 422 response would be a better option indeed.
- Subject changed from Creating new issues with invalid project_id results in 403 error to Creating new issues with invalid project_id should return 422 instead of 403 error
- Status changed from New to Resolved
- Assignee set to Jean-Philippe Lang
- Target version changed from Candidate for next minor release to 3.0.2
- Resolution set to Fixed
- Status changed from Resolved to Closed
Note: the documentation still states
project_id: get issues from the project with the given id, where id is either project id or project identifier
which is quite confusing.
- Has duplicate Defect #20119: REST API: setting project_id in issue not accepted in Redmine 3.0.3 added
Alexander Muthmann wrote:
Note: the documentation still states
[...]
which is quite confusing.
Thanks for pointing it out. I have fixed the document.
project_id: get issues from the project with the given id (a numeric value, not a project identifier).
- Related to Defect #23766: API : creating issues with project identifier no longer possible added
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by Toshi MARUYAMA 
Updated by 
Updated by 
Updated by 
Updated by