make /my/account endpoint accessible through API
|Assignee:||Go MAEDA||% Done:|
This would allow a user to update their account info through an external app. Currently admin privileges are required to change i.e. a user's name through the /users API.
#3 Updated by Go MAEDA over 1 year ago
- Status changed from New to Needs feedback
- Assignee set to Jens Krämer
I have tested the patch and found that the endpoint behaves the same for both POST and PUT requests. In other words, POST updates the account instead of creating an account.
IMHO, Redmine should not respond to POST API requests. Since users think that POST requests are used to create an object, admin may accidentally update their own account when trying to create a new account (of course, they should be more carefully).
What are your thoughts on that?
#4 Updated by Jens Krämer over 1 year ago
Yes, the thought that POST is not really nice there crossed my mind, but in order to keep the patch as small as possible I sticked to it since that is what the web form uses as well. If we change the API method to PUT, I would vote for changing the method used by the /my/account form to PUT, as well. What do you think?
#8 Updated by Go MAEDA over 1 year ago
Thank you for updating the patch but some tests fail after applying the second patch. Could you look into these errors?
Failure: SudoModeTest#test_update_email_address [/Users/maeda/redmines/trunk/test/integration/sudo_mode_test.rb:153]: Expected response to be a <2XX: success>, but was a <404: Not Found> bin/rails test test/integration/sudo_mode_test.rb:147
Failure: RoutingMyTest#test_my [/Users/maeda/redmines/trunk/test/test_helper.rb:296]: No route matches "/my/account" bin/rails test test/integration/routing/my_test.rb:23
#9 Updated by Jens Krämer over 1 year ago
Indeed there was a bug - I forgot to change the sudo mode requirement in the controller to
PUT. I also changed the tests to do PUT requests now / expect PUT to be routed instead of POST.