Create issue REST API allow invalid security level to be set

XMLWordPrintable

    • 8
    • Minor
    • 2

      When creating issues though the REST API, it is possible to set a security level that doesn't exist in the security scheme associated to the project. The validation only exists if you try to create an issue with a security level that doesn't exist in the instance - the response will be:

      {"errorMessages":[],"errors":{"security":"The security level is invalid."}}

      But if you try to create an issue in one project and set the security level that exists in JIRA but is doesn't exist it the security scheme associated to that project, the issue is created, it is shown on the issue navigator, and when trying to open it, the following message is received:

      Steps to replicate :

      1. Run the following Curl command and ensure that the security level exists in the Jira site but it is not tied to the Jira project that you are trying to create the issue on 
        curl --location 'https://dooi.atlassian.net/rest/api/2/issue' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic ZG9vaUBhdGxhc3NpYW4uY29tOkFUQVRUM3hGZkdGMFhrVUQ1QkhmaENwZW1nTVM1RUpCSHZiaGxCTkp1aG1SUkoxeWdHN0hIY1JLendxenhSYXdtTmhLNWZtMGktbDRlQVN3a2ZSRlF6bWJ5WnZfYl9mdDlIYmtYdUlQbDJkeDItR0h3Ri1jTENwUXJaTDdtZGNLTTBHZ2V2Zm43VU9hZDJoSi1hNWdIaUVIR2RzaHNqNUYybDFPa19DODVnQTNNLWJTd0NrTTc5cz05QjM3NDM5OQ==' \
--data '{
    "fields": {
        "project": {
            "key": "SCRUM"
        },
        "summary": "Example Issue created using postman with invalid security level for the project",
        "issuetype": {
            "name": "Bug"
        },
        "security": {
        "id": "10100"
        }
    }
}'

        Please change the payload according to your project configuration (e.g. if you have mandatory fields you would need to include in the payload)

      2. A response such as the following will be returned if the REST API is successfully run 
        {"id":"12039","key":"SCRUM-448","self":"https://your-atlassian-site.atlassian.net/rest/api/2/issue/12039"}
      3. Trying to access the issue will result in the following page

      Current behavior : The REST API accept security level that does not belong to the Jira project causing the issue that is created to be inaccessible
      Expected behavior : The REST API should not allow security level that can't be set on the Jira project even if the security level ID exist on a Jira site level

        1. Screenshot 2024-10-02 at 17.22.07.png
          Screenshot 2024-10-02 at 17.22.07.png
          70 kB

              Assignee:
              Unassigned
              Reporter:
              Der Lun (Inactive)
              Votes:
              3 Vote for this issue
              Watchers:
              10 Start watching this issue

                Created:
                Updated: