Details
-
Bug
-
Resolution: Unresolved
-
Low
-
None
-
6.0.4, 6.2.6, 6.3.8
-
6
-
2
-
Severity 3 - Minor
-
1
-
Description
REST API - GET project role information only works as Project Admin
Example:
http://localhost:63811/jira/rest/api/2/project/TEST/role/10002
returns:
HTTP/1.1 401 Unauthorized Server: Apache-Coyote/1.1 X-AREQUESTID: 679x416x1 Set-Cookie: JSESSIONID=15D9E0B2D0D56930F2934203C56930EE; Path=/jira/; HttpOnly X-Seraph-LoginReason: OK Set-Cookie: atlassian.xsrf.token=BX17-GJQD-Z4H1-3K7I|82a693923788d7a70209dd7e473ba43dfc461ede|lin; Path=/jira X-ASESSIONID: 18jpep3 X-AUSERNAME: testuser Cache-Control: no-cache, no-store, no-transform X-Content-Type-Options: nosniff WWW-Authenticate: OAuth realm="http%3A%2F%2Flocalhost%3A63811%2Fjira" Content-Type: application/json;charset=UTF-8 Transfer-Encoding: chunked Date: Wed, 12 Nov 2014 17:19:35 GMT {"errorMessages":["You cannot edit the configuration of this project."],"errors":{}}
This works fine as a Project Admin, but does not work with any other permissions like "Browse Project", Developer or User role. It seems that this GET call is checking permissions as if an EDIT would take place instead of a simple GET.
Response as admin:
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 X-AREQUESTID: 680x496x1 Set-Cookie: JSESSIONID=09D13366B035939FB17512CAD9D266B2; Path=/jira/; HttpOnly X-Seraph-LoginReason: OK Set-Cookie: atlassian.xsrf.token=BX17-GJQD-Z4H1-3K7I|416dc69844f7e98e2f1700a91b69af416dae2045|lin; Path=/jira X-ASESSIONID: ygbh8f X-AUSERNAME: testuser Cache-Control: no-cache, no-store, no-transform X-Content-Type-Options: nosniff Content-Type: application/json;charset=UTF-8 Transfer-Encoding: chunked Date: Wed, 12 Nov 2014 17:20:17 GMT