Content
View differences
Updated by Kabiru Mwenja 4 months ago
### Summary
The API v3 allows reading/writing internal comments when the `enabled_internal_comments` project setting [**Capabilities API**](https://www.openproject.org/docs/api/endpoints/actions-capabilities/) is disabled or currently out of sync with Project Settings. Even when the EnterpriseToken doesn't allow internal comments.
Additionally, client apps need a way to check whether internal comments "Internal Comments" are enabled/possible disabled for a specific project. project via the web interface, the API continues to report that the user has the capability to create them. Furthermore, the API accepts creation requests (`201 Created`) for data that the system is configured to ignore, leading to data inconsistency between the Mobile and Web apps.
### Steps to reproduce
1. In * **Configure Project:** In the OpenProject Web UI, go to Project Settings and **disable** "Enable internal comments." (or remove enterprise token allowing internal comments)
2. As * **Check Capabilities via API:** Perform a `GET` request to `/api/v3/capabilities` for a user with view\_internal\_comments permission, call `GET /api/v3/work_packages/:id/activities`
3. Internal comments are still visible who has the "Write internal comments" permission in the response
4. As their role.
* **Current API Result:** Returns a user with `add_internal_comments` permission, call POST /api/v3/work\_packages/:id/activities with internal: true
5. Internal positive capability for `internal_comments/create`.
* **Attempt Creation:** Perform a `POST` to create an internal comment on a work package in that project.
* **Current API Result:** Returns `201 Created`, but the comment is created despite (correctly) hidden in the project setting being disabled
Web UI.
### Expected behavior
1. **Enforcement**: Internal comments The **Capabilities API** should only be readable/writable when ALL conditions are met:
1. EnterpriseToken allows internal\_comments
2. act as the single source of truth for the Mobile UI. It must account for both User Permissions **AND** Project setting enabled\_internal\_comments Settings:
* If "Enable internal comments" is true
3. User has **OFF** at the appropriate permission
2. **Mobile App Support**: A project-scoped configuration endpoint `GET /api/v3/projects/:id/configuration` project level, the Capabilities API should return:
1. All global configuration properties (including `availableFeatures` return a **negative** response for enterprise token check)
2. `enabledInternalComments` - `internal_comments/create`, regardless of the user's role permissions.
* The API should return an error (e.g., `403 Forbidden`) if a client attempts to post an internal comment to a project setting (boolean, defaults to false) where the feature is disabled.
The API v3 allows reading/writing internal comments when the `enabled_internal_comments` project setting
Additionally, client apps need a way to check whether internal comments
### Steps to reproduce
1. In
2. As
3. Internal comments are still visible
4. As
* **Current API Result:** Returns
5. Internal
* **Attempt Creation:** Perform a `POST` to create an internal
* **Current API Result:** Returns `201 Created`, but the comment
1. **Enforcement**: Internal comments
1. EnterpriseToken allows internal\_comments
2.
* If "Enable internal comments"
3. User has
2. **Mobile App Support**: A project-scoped configuration endpoint `GET /api/v3/projects/:id/configuration`
1. All global configuration properties (including `availableFeatures`
2. `enabledInternalComments` -
* The API should return an error (e.g., `403 Forbidden`) if a client attempts to post an internal comment to a