When creating a user using the REST API we have found that if you switch the HTTPS for a HTTP POST it returns a full list of users rather than creating a new one.
I would never advocate not using HTTPS this was noted by our internal QA and its raised a discussion around how this happened. I would expect to have an error status code not a different data set.
Scenario
POST {domain}/api/v1/users?activate=true
Accept application/json
Content-Type application/json
Authorization SSWS {apikey}
Body
{
"profile": {
"firstName": "TEST",
"lastName": "USER",
"email": "yourtestemail",
"login": "yourtestemail"
},
"groupIds": [
"123456789"
],
"credentials": {
"password" : { "value": "Password1234" }
}
}
If you simply remove the ‘S’ from HTTPS and run the POST request in Postman or another tool you get a status code of 200 and a full list of users rather than a newly created user.
As the endpoint /api/v1/users is used for many things I am wondering if the nature of the request not being secure is oddly returning a list of users rather than dealing with the payload in the body and creating a user.
Normally a list of users is obtained using a GET.
From my point of view all requests would always be HTTPS but i’m more curious by removing the S to make it not secure returns a different dataset based on the same endpoint and body.
Any thoughts would be great.
