Project

General

Profile

Actions
Copy link

Defect #8626

open

Setting status via API fails silently

Added by Bevan Rudge over 13 years ago. Updated over 5 years ago.

Status:
Confirmed
Priority:
Normal
Assignee:
-
Category:
REST API
Target version:
-
Start date:
2011-06-16
Due date:
% Done:

0%

Estimated time:
Resolution:
Affected version:
1.1.3

Description

When a user attempts to set the status_id of an issue, but does not have permission to do so, Redmine's API does not respond with an error. The status is not updated, yet the response still indicates success.

I tested this with Admin user on a fresh instance of Redmine, where Admin was not a member of the project.

#8625 is related.

Related issues

Related to Redmine - Defect #10233: "update issue" silently ignores "status" field if the user is not part of the project, but changes other fieldsConfirmed

Actions
Actions
Copy link
 #1

Updated by Go MAEDA over 5 years ago

  • Status changed from New to Confirmed

I have confirmed the issue.

The user rhill tried to update the status of an issue in a public project which he is not a member. The issue was not updated because he is not a member of the project and no workflow is defined for him. However, the API returned "204 No Content".

$ curl --user rhill:foo -v -H "Content-Type: application/json" -X PUT --data '{"issue": {"status_id": 3}}' http://redmine-trunk.test/issues/1.json
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to redmine-trunk.test (127.0.0.1) port 80 (#0)
* Server auth using Basic with user 'rhill'
> PUT /issues/1.json HTTP/1.1
> Host: redmine-trunk.test
> Authorization: Basic cmhpbGw6Zm9v
> User-Agent: curl/7.54.0
> Accept: */*
> Content-Type: application/json
> Content-Length: 27
>
* upload completely sent off: 27 out of 27 bytes
< HTTP/1.1 204 No Content
< X-Frame-Options: SAMEORIGIN
< X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< X-Download-Options: noopen
< X-Permitted-Cross-Domain-Policies: none
< Referrer-Policy: strict-origin-when-cross-origin
< Cache-Control: no-cache
< X-Request-Id: 41d85ba5-74ed-4f36-b91b-b5b291ea83b5
< X-Runtime: 0.086406
< Date: Sat, 08 Jun 2019 04:33:47 GMT
< Connection: close
<
* Closing connection 0
Actions
Copy link
 #2

Updated by Go MAEDA almost 4 years ago

  • Related to Defect #10233: "update issue" silently ignores "status" field if the user is not part of the project, but changes other fields added
Actions
Copy link

Also available in: Atom PDF