API retuning "Project does not exist" when it does

Thanks for the response!!

I thought it might be the perms as well, so, just to test, I set the user at Admin level in the project just to verify if it was indeed perms issue and I still get the same error.

I can select another project and it works just fine, it's just this one project.

It's not using any special schemes outside the ordinary.

Mmm, this catches out a lot of people - admin means admin, not "can do anything" or project permissions. Making them an admin might not give them browse project.

You have to check the permission scheme - to whom does it grant "browse project"?  And is that user included by the rule? 

I added a few more permission groups and this seems to have solved the issue. Better error messages would help here as well.

Thanks!

Yes, it would be better for a message of "project does not exist, or you cannot see it". (You don't want to leak information by saying "project exists, but you're not allowed in", it should not give away that the project exists)

"Permission Denied" is acceptable, it's generic and can mean you don't have perms to the company, board, project, other things and does not really risk much, but for those of us doing work like this, it would have made this a lot easier to troubleshoot.

No, because you've now told your attacker that the project exists. 

Unless you change all the messaging to "permission denied", irrespective of whether it's the permissions or the non-existence of the project.

True, but if an attacker has gotten this far, you have a LOT more issues than this. :)

Um, why?  Anyone can issue a REST call to look at a project on a Cloud system.  They could get this far in the first attempt, just by reading the docs or Community posts.

@Dennis Christilaw  I'm also facing the same issue, so could you please provide the privileges assigned when this issue was faced?

They added "browse project" for the user they were using