-
Type:
Bug
-
Resolution: Unresolved
-
Priority:
Low
-
None
-
Affects Version/s: 6.3, 6.4, 7.0.0, 9.12.15, 9.16.1
-
Component/s: REST API
-
6.03
-
11
-
Severity 3 - Minor
-
1
Summary
HTTP 400 error with misleading information are returned when creating the issue through REST API as a user with insufficient permission or invalid Authorization header
Steps to reproduce
- Create new user - UserA
- Remove from UserA "Create Issues" permission
- When being logged as {}UserA try to create an issue through REST endpoint (i.e. POST to /rest/api/2/issue).
I used this JSON on my instance:{ fields: { project: {key: "DESK"}, summary: "REST ye merry gentlemen.", description: "Creating of an issue using project keys and issue type names using the REST API", issuetype: {name: "Task"} } }
Another way to reproduce this issue is with a misconfigured Authorization header. For example, use Bearer <base64-encoded_credential> instead of Basic <base64-encoded_credential>.
Current behaviour
HTTP 400 code is returned with the message indicating some issues with the fields.
{
"errorMessages": [],
"errors": {
"summary": "Field 'summary' cannot be set. It is not on the appropriate screen, or unknown.",
"description": "Field 'description' cannot be set. It is not on the appropriate screen, or unknown."
}
}
Expected behaviour
Proper HTTP error code and message are returned when the user doesn't have permission to create the issue.
Workaround
none
- is related to
-
-
- Closed
-
-
-
- Gathering Impact
-
-
JRASERVER-66840 Error message returned on editing an issue when a user does not have permission is bad
- Closed
- relates to
-
-
- Closed
-