When working on T211119, I noticed that the API checks the validity of requests before it checks whether the user has the right to execute the request.
That order should be inverted. The new order should probably look something like this:
- Check whether the user is allowed to execute e.g. wbcreateclaim. (He might be blocked)
- Look at the other request parameters and check whether they are valid. (A parameter might be missing or malformed)
- Check whether the user has the rights to take that action on that item. (The item might be protected)
- API requests check that a user is allowed to make that request before checking the validity of the request parameters
- A test for this behavior