Error response returned from workitem query api when caller has no division permissions

Description

The workitem query API contained a bug that allowed users without workitems:workitem:view permission to perform a query. As a result even if the user was missing the permission they would receive a 200 response with an empty list of entities.

The bug has now been fixed and the user will see an error message.

Current response without permission:

Response: 200
{
  "entities": []
}

API response after bug fix:

Response: 403
{
  "message": "Unable to perform the requested action. You must have permission workitems:workitem:view in at least one division.",
  "code": "workitem.missing.any.division.permissions",
  "status": 403,
  "contextId": "<contextId>",
  "details": [],
  "errors": []
}

Change Category

API

Change Context

Bug fix. Requests where the user didn't have the correct permissions should always have returned a 403 forbidden response.

Change Impact

Users performing queries without permission will now see a 403 response.

Date of Change

18 Jul 2024

Impacted APIs

POST /api/v2/taskmanagement/workitems/query

References

WORKITEMS-2798

This topic was automatically closed 62 days after the last reply. New replies are no longer allowed.