Skip to content

[API | Clearance] Authorizations not taken into account for endpoint 'projects/{id}/campaign' 'projects/{id}/requirements' '/projects/{id}/test-cases'

Affected version : Squash v9.0.0.it2 and 7.3.release

if I don't have access to a project, I can view its campaigns via the following endpoint:

  1. projects/{id}/campaigns
  2. /projects/{id}/requirements
  3. /projects/{id}/test-cases

Steps :

  • Have 2 projects with campaigns User only authorized for project1
  • Pass API request /api/rest/latest/projects/ID_PROJET2/campaigns
Edited by VIGNON Séverine
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information