Skip to content

Bug/70979 api v3 allows reading writing internal comments when the enable internal comments project setting is disabled #21800

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
akabiru merged 4 commits into from
Jan 29, 2026
Merged

Bug/70979 api v3 allows reading writing internal comments when the enable internal comments project setting is disabled #21800

akabiru merged 4 commits into from
Jan 29, 2026

Conversation

@akabiru
Copy link
Member

@akabiru akabiru commented Jan 28, 2026
edited
Loading

Ticket

https://community.openproject.org/wp/70979

What are you trying to accomplish?

Fix internal comments authorization bug where the API v3 allows reading/writing internal comments when the enabled_internal_comments project setting is disabled or when the EnterpriseToken doesn't allow it.

  • Enforce EnterpriseToken and Project setting checks to API contracts & scope
  • Add GET /api/v3/projects/:id/configuration endpoint that returns all global configuration plus enabledInternalComments project setting
Screenshot 2026-01-29 at 12 33 27 PM

What approach did you choose and why?

Enforcement Layer: Added the missing checks at the appropriate layers:

  • Reading: The internal_visible scope already checked project setting and permission, but was missing the EnterpriseToken check
  • Writing: The CreateNoteContract already checked EnterpriseToken and permission, but was missing the project setting check

Configuration API: Extended the existing Configuration API with a project-scoped endpoint rather than modifying the Capabilities API because:

  • Capabilities API is optimized for role/permission lookups - adding project settings would conflate concerns
  • The global Configuration API already exposes availableFeatures (enterprise token features)
  • A project-scoped configuration endpoint provides a single call for mobile apps to get everything they need

Merge checklist

  • Added/updated tests
  • Added/updated documentation in Lookbook (patterns, previews, etc)
  • Tested major browsers (Chrome, Firefox, Edge, ...)

@akabiru
Fix internal comments authorization [OP#70979]
17c7dcf 
The API v3 was allowing reading/writing internal comments when both the
enterprise token doesn't allow it and when the project setting is disabled.

Reading (GET):
- Added EnterpriseToken check to internal_visible scope

Writing (POST):
- Added project.enabled_internal_comments check to CreateNoteContract
@akabiru akabiru added this to the 17.1.x milestone Jan 28, 2026
@akabiru akabiru self-assigned this Jan 28, 2026
@akabiru akabiru force-pushed the bug/70979-bug-api-v3-allows-reading-writing-internal-comments-when-the-enable-internal-comments-project-setting-is-disabled branch 2 times, most recently from fdc3236 to 3adc142 Compare January 28, 2026 18:53
@akabiru akabiru changed the title Bug/70979 bug api v3 allows reading writing internal comments when the enable internal comments project setting is disabled Bug/70979 api v3 allows reading writing internal comments when the enable internal comments project setting is disabled Jan 28, 2026
@akabiru akabiru force-pushed the bug/70979-bug-api-v3-allows-reading-writing-internal-comments-when-the-enable-internal-comments-project-setting-is-disabled branch from 3adc142 to 80b111d Compare January 29, 2026 07:03
@akabiru
Add project-scoped configuration API [OP#70979]
8dbac61 
Adds `GET /api/v3/projects/:id/configuration` endpoint that returns
all global configuration properties plus project-specific settings.

This allows client apps to check both enterprise token features
(availableFeatures) and project settings (enabledInternalComments)
in a single API call.
@akabiru akabiru force-pushed the bug/70979-bug-api-v3-allows-reading-writing-internal-comments-when-the-enable-internal-comments-project-setting-is-disabled branch from 80b111d to 8dbac61 Compare January 29, 2026 09:25
@akabiru akabiru marked this pull request as ready for review January 29, 2026 09:27
@akabiru akabiru changed the base branch from dev to release/17.1 January 29, 2026 09:35
@akabiru akabiru requested review from a team and Copilot January 29, 2026 09:35
Copilot AI reviewed Jan 29, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request fixes a security vulnerability where the API v3 allowed reading and writing internal comments even when the enabled_internal_comments project setting was disabled or when the Enterprise Token doesn't support the feature.

Changes:

  • Added enterprise token check to the internal_visible scope in WorkPackage::Journalized to prevent reading internal comments when the token doesn't allow it
  • Added project setting validation to CreateNoteContract to prevent creating internal comments when disabled at the project level
  • Introduced a new /api/v3/projects/:id/configuration endpoint that returns global configuration plus project-specific settings like enabledInternalComments

Reviewed changes

Copilot reviewed 20 out of 20 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
app/models/work_package/journalized.rb Added EnterpriseToken check to internal_visible scope to enforce authorization when reading internal comments
app/contracts/work_packages/create_note_contract.rb Added project setting validation to prevent creating internal comments when disabled for the project
lib/api/v3/projects/configuration/project_configuration_api.rb New API endpoint for project-scoped configuration
lib/api/v3/projects/configuration/project_configuration_representer.rb Representer for project configuration extending global configuration with project settings
lib/api/v3/workspaces/nested_apis.rb Mounted ProjectConfigurationAPI under workspaces
lib/api/v3/utilities/path_helper.rb Added path helper methods for project and workspace configuration endpoints
docs/api/apiv3/paths/project_configuration.yml OpenAPI documentation for the new project configuration endpoint
docs/api/apiv3/components/schemas/project_configuration_model.yml Schema definition for project configuration model
docs/api/apiv3/openapi-spec.yml Updated OpenAPI spec to include new project configuration endpoint and schema
config/locales/en.yml Added translation for feature_disabled_for_project error message
spec/requests/api/v3/projects/configuration/project_configuration_resource_spec.rb Comprehensive tests for the new configuration API endpoint
spec/requests/api/v3/activities_by_work_package_resource_spec.rb Added test for creating internal comments when project setting is disabled
spec/contracts/work_packages/create_note_contract_spec.rb Added test for project setting validation in contract
spec/models/work_package/work_package_acts_as_journalized_spec.rb Updated tests to use with_ee flag and verify enterprise token enforcement
spec/services/work_packages/activities_tab/paginator_spec.rb Updated test to use with_ee flag for internal comments
spec/requests/api/v3/emoji_reactions/emoji_reactions_by_work_package_comments_api_spec.rb Updated test to use with_ee flag
spec/models/concerns/emoji_reactions/grouped_queries_spec.rb Updated tests to use with_ee flags
spec/helpers/work_packages_helper_spec.rb Updated test to use with_ee flag
spec/features/activities/work_package/activities_spec.rb Updated test suite to use with_ee flag
spec/controllers/work_packages_controller_spec.rb Updated test to use with_ee flag

@akabiru
Copy link
Member Author

akabiru commented Jan 29, 2026

@copilot open a new pull request to apply changes based on the comments in this thread

Copilot AI mentioned this pull request Jan 29, 2026
Merged
3 tasks
Copy link
Contributor

Copilot AI commented Jan 29, 2026

@akabiru I've opened a new pull request, #21807, to work on those changes. Once the pull request is ready, I'll request review from you.

@akabiru akabiru marked this pull request as draft January 29, 2026 10:16
@akabiru akabiru force-pushed the bug/70979-bug-api-v3-allows-reading-writing-internal-comments-when-the-enable-internal-comments-project-setting-is-disabled branch from e9928c4 to 4ca0236 Compare January 29, 2026 10:42
@akabiru akabiru force-pushed the bug/70979-bug-api-v3-allows-reading-writing-internal-comments-when-the-enable-internal-comments-project-setting-is-disabled branch from 94f9e7f to 1bca833 Compare January 29, 2026 10:50
@akabiru akabiru marked this pull request as ready for review January 29, 2026 10:51
judithroth
judithroth approved these changes Jan 29, 2026
View reviewed changes
Copy link
Contributor

@judithroth judithroth left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work! I have only one small question about the documentation

@akabiru akabiru merged commit f77d0d6 into release/17.1 Jan 29, 2026
22 checks passed
@akabiru akabiru deleted the bug/70979-bug-api-v3-allows-reading-writing-internal-comments-when-the-enable-internal-comments-project-setting-is-disabled branch January 29, 2026 13:34
@github-actions github-actions bot locked and limited conversation to collaborators Jan 29, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

Copilot code review Copilot Copilot left review comments

@judithroth judithroth judithroth approved these changes

Assignees

@akabiru akabiru

Labels

bugfix feature

Milestone

17.1.x

Development

Successfully merging this pull request may close these issues.

3 participants

@akabiru @judithroth