Description
The workitem query API contained a bug that allowed users without workitems:workitem:view permission to perform a query. As a result even if the user was missing the permission they would receive a 200 response with an empty list of entities.
The bug has now been fixed and the user will see an error message.
Current response without permission:
Response: 200
{
"entities": []
}
API response after bug fix:
Response: 403
{
"message": "Unable to perform the requested action. You must have permission workitems:workitem:view in at least one division.",
"code": "workitem.missing.any.division.permissions",
"status": 403,
"contextId": "<contextId>",
"details": [],
"errors": []
}
Change Category
API
Change Context
Bug fix. Requests where the user didn't have the correct permissions should always have returned a 403 forbidden response.
Change Impact
Users performing queries without permission will now see a 403 response.
Date of Change
18 Jul 2024
Impacted APIs
POST /api/v2/taskmanagement/workitems/query
References
WORKITEMS-2798