Actions
Defect #8626
openSetting status via API fails silently
Status:
Confirmed
Priority:
Normal
Assignee:
-
Category:
REST API
Target version:
-
Start date:
2011-06-16
Due date:
% Done:
0%
Estimated time:
Resolution:
Affected version:
Description
When a user attempts to set the status_id
of an issue, but does not have permission to do so, Redmine's API does not respond with an error. The status is not updated, yet the response still indicates success.
I tested this with Admin user on a fresh instance of Redmine, where Admin was not a member of the project.
#8625 is related.
Related issues
Updated by Go MAEDA over 5 years ago
- Status changed from New to Confirmed
I have confirmed the issue.
The user rhill tried to update the status of an issue in a public project which he is not a member. The issue was not updated because he is not a member of the project and no workflow is defined for him. However, the API returned "204 No Content".
$ curl --user rhill:foo -v -H "Content-Type: application/json" -X PUT --data '{"issue": {"status_id": 3}}' http://redmine-trunk.test/issues/1.json * Trying 127.0.0.1... * TCP_NODELAY set * Connected to redmine-trunk.test (127.0.0.1) port 80 (#0) * Server auth using Basic with user 'rhill' > PUT /issues/1.json HTTP/1.1 > Host: redmine-trunk.test > Authorization: Basic cmhpbGw6Zm9v > User-Agent: curl/7.54.0 > Accept: */* > Content-Type: application/json > Content-Length: 27 > * upload completely sent off: 27 out of 27 bytes < HTTP/1.1 204 No Content < X-Frame-Options: SAMEORIGIN < X-XSS-Protection: 1; mode=block < X-Content-Type-Options: nosniff < X-Download-Options: noopen < X-Permitted-Cross-Domain-Policies: none < Referrer-Policy: strict-origin-when-cross-origin < Cache-Control: no-cache < X-Request-Id: 41d85ba5-74ed-4f36-b91b-b5b291ea83b5 < X-Runtime: 0.086406 < Date: Sat, 08 Jun 2019 04:33:47 GMT < Connection: close < * Closing connection 0
Updated by Go MAEDA about 4 years ago
- Related to Defect #10233: "update issue" silently ignores "status" field if the user is not part of the project, but changes other fields added
Actions