API: creating an issue with an invalid project_id should return 422 instead of 403 (#19276).

git-svn-id: http://svn.redmine.org/redmine/trunk@14141 e93f8b46-1217-0410-a6f0-8f06a7374b81
2025-11-17 18:50:53 +01:00 · 2015-03-20 10:02:45 +00:00
parent c0c05ec41e
commit d509341797
2 changed files with 6 additions and 1 deletions
--- a/app/controllers/issues_controller.rb
+++ b/app/controllers/issues_controller.rb
@@ -133,7 +133,7 @@ class IssuesController < ApplicationController
  end

  def create
-    unless User.current.allowed_to?(:add_issues, @issue.project)
+    unless User.current.allowed_to?(:add_issues, @issue.project, :global => true)
      raise ::Unauthorized
    end
    call_hook(:controller_issues_new_before_save, { :params => params, :issue => @issue })
--- a/test/integration/api_test/issues_test.rb
+++ b/test/integration/api_test/issues_test.rb
@@ -444,6 +444,11 @@ JSON
    assert json['errors'].include?("Subject cannot be blank")
  end

+  test "POST /issues.json with invalid project_id should respond with 422" do
+    post '/issues.json', {:issue => {:project_id => 999, :subject => "API"}}, credentials('jsmith')
+    assert_response 422
+  end
+
  test "PUT /issues/:id.xml" do
    assert_difference('Journal.count') do
      put '/issues/6.xml',