Defect #27566
open
API can add custom fields journal entry although it is disabled on WEB UI
0%
Description
What we do:
- Create Custom Field
- Set
- Visible: to any users
- Trackers: Uncheck all
- Projects: Uncheck all
What we have:
This way we can't edit or view this custom fields in any issues.
This custom field will not be seen in issues.
But we can add any value to this field programmatically in a plugin using the CustomValue model. And we can add an entry to the Journal about changing this field using the JournalDetails model.
At the same time, according to our settings: the issue should not have this field.
After these actions on the issue page:
We don’t see the field and its value
But we can see journal entries about changes in this field (that should not be).
I think it's better to get an error when we try to change a value of the field that does not exist in an issue and add an entry to the journal.
It turns out that field settings don’t mean anything.
The field is simply hidden. Despite we have special settings to change visibility.
Values of custom fields and journal details are not checked on matching the field settings before saving.
This behavior is controversial and someone can use it for their own purposes.
We have some questions
First of all, we need your feedback on following questions:
- Is this behavior correct, undesirable or incorrect?
- Can we base our solutions on this behavior?
- Can we use this behavior for their own purposes in plugins development?
- Is it better to avoid using this behavior?
Thanks!
Files
Updated by Toshi MARUYAMA 
