Content
View differences
Updated by Kabiru Mwenja 4 months ago
### Summary
The [**Capabilities API**](https://www.openproject.org/docs/api/endpoints/actions-capabilities/) **Capabilities API** is currently out of sync with Project Settings. Even when "Internal Comments" are disabled for a specific project via the web interface, the API continues to report that the user has the capability to create them. Furthermore, the API accepts creation requests (`201 Created`) for data that the system is configured to ignore, leading to data inconsistency between the Mobile and Web apps.
### Steps to reproduce
* **Configure Project:** In the OpenProject Web UI, go to Project Settings and **disable** "Enable internal comments."
* **Check Capabilities via API:** Perform a `GET` request to `/api/v3/capabilities` for a user who has the "Write internal comments" permission in their role.
* **Current API Result:** Returns a positive capability for `internal_comments/create`.
* **Attempt Creation:** Perform a `POST` to create an internal comment on a work package in that project.
* **Current API Result:** Returns `201 Created`, but the comment is (correctly) hidden in the Web UI.
### Expected behavior
The **Capabilities API** should act as the single source of truth for the Mobile UI. It must account for both User Permissions **AND** Project Settings:
* If "Enable internal comments" is **OFF** at the project level, the Capabilities API should return a **negative** response for `internal_comments/create`, regardless of the user's role permissions.
* The API should return an error (e.g., `403 Forbidden`) if a client attempts to post an internal comment to a project where the feature is disabled.
The [**Capabilities API**](https://www.openproject.org/docs/api/endpoints/actions-capabilities/)
### Steps to reproduce
* **Configure Project:** In the OpenProject Web UI, go to Project Settings and **disable** "Enable internal comments."
* **Check Capabilities via API:** Perform a `GET` request to `/api/v3/capabilities` for a user who has the "Write internal comments" permission in their role.
* **Current API Result:** Returns a positive capability for `internal_comments/create`.
* **Attempt Creation:** Perform a `POST` to create an internal comment on a work package in that project.
* **Current API Result:** Returns `201 Created`, but the comment is (correctly) hidden in the Web UI.
### Expected behavior
The **Capabilities API** should act as the single source of truth for the Mobile UI. It must account for both User Permissions **AND** Project Settings:
* If "Enable internal comments" is **OFF** at the project level, the Capabilities API should return a **negative** response for `internal_comments/create`, regardless of the user's role permissions.
* The API should return an error (e.g., `403 Forbidden`) if a client attempts to post an internal comment to a project where the feature is disabled.