Defect #8626
open
Setting status via API fails silently
Added by Bevan Rudge over 13 years ago.
Updated over 5 years ago.
Description
When a user attempts to set the status_id of an issue, but does not have permission to do so, Redmine's API does not respond with an error. The status is not updated, yet the response still indicates success.
I tested this with Admin user on a fresh instance of Redmine, where Admin was not a member of the project.
#8625 is related.
- Status changed from New to Confirmed
I have confirmed the issue.
The user rhill tried to update the status of an issue in a public project which he is not a member. The issue was not updated because he is not a member of the project and no workflow is defined for him. However, the API returned "204 No Content".
$ curl --user rhill:foo -v -H "Content-Type: application/json" -X PUT --data '{"issue": {"status_id": 3}}' http://redmine-trunk.test/issues/1.json
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to redmine-trunk.test (127.0.0.1) port 80 (#0)
* Server auth using Basic with user 'rhill'
> PUT /issues/1.json HTTP/1.1
> Host: redmine-trunk.test
> Authorization: Basic cmhpbGw6Zm9v
> User-Agent: curl/7.54.0
> Accept: */*
> Content-Type: application/json
> Content-Length: 27
>
* upload completely sent off: 27 out of 27 bytes
< HTTP/1.1 204 No Content
< X-Frame-Options: SAMEORIGIN
< X-XSS-Protection: 1; mode=block
< X-Content-Type-Options: nosniff
< X-Download-Options: noopen
< X-Permitted-Cross-Domain-Policies: none
< Referrer-Policy: strict-origin-when-cross-origin
< Cache-Control: no-cache
< X-Request-Id: 41d85ba5-74ed-4f36-b91b-b5b291ea83b5
< X-Runtime: 0.086406
< Date: Sat, 08 Jun 2019 04:33:47 GMT
< Connection: close
<
* Closing connection 0
- Related to Defect #10233: "update issue" silently ignores "status" field if the user is not part of the project, but changes other fields added
Also available in: Atom
PDF
Updated by