temporarily disable PATCH for workpackages

- should be currently unused
- contains critical security flaws that should not make it into OP 4.0
pull/2036/head
Jan Sandbrink 10 years ago
parent 43ef00e47d
commit c5fe2f63ac
  1. 2
      doc/apiv3-documentation.apib
  2. 22
      lib/api/v3/work_packages/work_packages_api.rb

@ -1370,6 +1370,8 @@ Updates an activity's comment and, on success, returns the updated activity.
## Edit WorkPackage [PATCH]
**NOT IMPLEMENTED**
+ Parameters
+ id (required, integer, `1`) ... Work package id

@ -53,16 +53,18 @@ module API
@representer
end
patch do
authorize(:edit_work_packages, context: @work_package.project)
@representer.from_json(env['api.request.input'])
@representer.represented.sync
if @representer.represented.model.valid? && @representer.represented.save
@representer
else
fail Errors::Validation.new(@representer.represented.model)
end
end
##disabled to prevent security risks caused by missing setter restrictions
##see https://community.openproject.org/work_packages/16768
#patch do
# authorize(:edit_work_packages, context: @work_package.project)
# @representer.from_json(env['api.request.input'])
# @representer.represented.sync
# if @representer.represented.model.valid? && @representer.represented.save
# @representer
# else
# fail Errors::Validation.new(@representer.represented.model)
# end
#end
resource :activities do

Loading…
Cancel
Save