Description of problem: API for the Bug WebService, Such as Bug.update, under jsonrpc.cgi returns a 403 (Forbidden) when used. This is regardless of parameters used. How reproducible: Reproducible for any method that requires and HTTP Post Steps to Reproduce: Use an HTTP applications such as curl to hit the API. Example: curl -v -X POST "https://bugzilla.redhat.com/jsonrpc.cgi?method=Bug.update¶ms=%5B%7B%22ids%22%3A%5B923444%5D%2C%20%22status%22%3A%22modified%22%7D%5D" Actual results: No update of the bug specified to the status "modified" and the report from curl * About to connect() to bugzilla.redhat.com port 443 (#0) * Trying 10.4.127.4... connected * Connected to bugzilla.redhat.com (10.4.127.4) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/pki/tls/certs/ca-bundle.crt CApath: none * SSL connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA * Server certificate: * subject: CN=*.redhat.com,OU=Web Operations,O=Red Hat Inc,L=Raleigh,ST=North Carolina,C=US,serialNumber=XeSJbTqpNUErLA/DI3Cs5qXyDcU1HYm2 * start date: Nov 15 13:44:10 2011 GMT * expire date: Nov 17 11:36:58 2013 GMT * common name: *.redhat.com * issuer: CN=GeoTrust SSL CA,O="GeoTrust, Inc.",C=US > POST /jsonrpc.cgi?method=Bug.update¶ms=%5B%7B%22ids%22%3A%5B923444%5D%2C%20%22status%22%3A%22modified%22%7D%5D HTTP/1.1 > User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.13.1.0 zlib/1.2.3 libidn/1.18 libssh2/1.2.2 > Host: bugzilla.redhat.com > Accept: */* > < HTTP/1.1 403 Forbidden < Date: Tue, 02 Apr 2013 20:04:15 GMT < Server: Apache < X-xss-protection: 1; mode=block < X-frame-options: SAMEORIGIN < X-content-type-options: nosniff < Vary: Accept-Encoding,User-Agent < Content-Type: application/json; charset=UTF-8 < Connection: close < Transfer-Encoding: chunked Expected results: The bug should be updated with the status "modified" and a JSON sent back in accordance to the API. Additional info: User credentials being sent in params has no effect.
(In reply to comment #0) > Description of problem: > > API for the Bug WebService, Such as Bug.update, under jsonrpc.cgi returns a > 403 (Forbidden) when used. This is regardless of parameters used. > > How reproducible: > Reproducible for any method that requires and HTTP Post > > Example: > curl -v -X POST > "https://bugzilla.redhat.com/jsonrpc.cgi?method=Bug. > update¶ms=%5B%7B%22ids%22%3A%5B923444%5D%2C%20%22status%22%3A%22modified% > 22%7D%5D" That is still passing that method and parameters with GET, not POST. > Expected results: > The bug should be updated with the status "modified" and a JSON sent back in > accordance to the API. The API states "Methods that modify the database or cause some action to happen in Bugzilla cannot be called over GET". For that reason, I'm marking this as NOTABUG https://bugzilla.redhat.com/docs/en/html/api/Bugzilla/WebService/Server/JSONRPC.html#Connecting_via_GET
You're correct that in the example above I didn't send the parameters with the post, but I am still using a post to the API. I have tried doing everything in the post body as well but I still receive a 403 from the following curl commands. curl -v -X POST "https://bugzilla.redhat.com/jsonrpc.cgi" --data-urlencode "method=Bug.update" --data-urlencode "params=[{"ids":[923444], "status":"modified"}]" and curl -v -X POST "https://bugzilla.redhat.com/jsonrpc.cgi?method=Bug.update" --data-urlencode "params=[{"ids":[923444], "status":"modified"}]" I additionally have tried using credentials to see if it is an authentication issue, yet I receive the same response. Again the API is returning a 403, not a 401 so that's to be expected. Is there anything else I can try?