diff --git a/doc/apiv3-documentation.apib b/doc/apiv3-documentation.apib index 2070d08c8f..9bf60e3540 100644 --- a/doc/apiv3-documentation.apib +++ b/doc/apiv3-documentation.apib @@ -1370,6 +1370,8 @@ Updates an activity's comment and, on success, returns the updated activity. ## Edit WorkPackage [PATCH] +**NOT IMPLEMENTED** + + Parameters + id (required, integer, `1`) ... Work package id diff --git a/lib/api/v3/work_packages/work_packages_api.rb b/lib/api/v3/work_packages/work_packages_api.rb index cf32d20bf6..1e3e7efb48 100644 --- a/lib/api/v3/work_packages/work_packages_api.rb +++ b/lib/api/v3/work_packages/work_packages_api.rb @@ -53,16 +53,18 @@ module API @representer end - patch do - authorize(:edit_work_packages, context: @work_package.project) - @representer.from_json(env['api.request.input']) - @representer.represented.sync - if @representer.represented.model.valid? && @representer.represented.save - @representer - else - fail Errors::Validation.new(@representer.represented.model) - end - end + ##disabled to prevent security risks caused by missing setter restrictions + ##see https://community.openproject.org/work_packages/16768 + #patch do + # authorize(:edit_work_packages, context: @work_package.project) + # @representer.from_json(env['api.request.input']) + # @representer.represented.sync + # if @representer.represented.model.valid? && @representer.represented.save + # @representer + # else + # fail Errors::Validation.new(@representer.represented.model) + # end + #end resource :activities do