<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>RE: [Rt-devel] [PATCH]: Ticket transaction querying in REST interfaceis not restrictive enough</TITLE>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.5730.11" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><SPAN class=683285102-13022007><FONT face=Arial
color=#0000ff size=2>I agree - if you're going to query just transactions, do it
directly. But if you are doing it via a ticket, make sure that the transaction
is something to do with the ticket. If not, you can get confused because you
might query </FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=683285102-13022007><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=683285102-13022007><FONT size=2>rt show
ticket/N/history/id/M</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=683285102-13022007><FONT
size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=683285102-13022007><FONT size=2>and because
you get a result, you might assume that transaction M was something to do with
ticket N. After all the "history" part of the query strongly suggests that the
transaction is part of the ticket's history. I think this should be prevented
and a plain transaction query interface provided instead, if desirable (though
it's hard to see when you'd have a transaction ID you wanted to know about and
not know what ticket it referred to ...)</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=683285102-13022007><FONT
size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=683285102-13022007><FONT
size=2>PK</FONT></SPAN></DIV><BR>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> Dmitri Tikhonov
[mailto:Dmitri.Tikhonov@vonage.com] <BR><B>Sent:</B> Monday, February 12, 2007
6:34 PM<BR><B>To:</B> Philip Kime;
rt-devel@lists.bestpractical.com<BR><B>Subject:</B> RE: [Rt-devel] [PATCH]:
Ticket transaction querying in REST interfaceis not restrictive
enough<BR></FONT><BR></DIV>
<DIV></DIV><!-- Converted from text/plain format -->
<P><FONT size=2>I have noticed this behavior before and maybe it's not
useless:<BR><BR> What is someone wants to get just at the transaction
itself?<BR><BR>As for restrictions, checking the ticket's permissions should
verify whether the user can see it. I would like to see an interface like
this:<BR><BR> /REST/1.0/transaction/N<BR><BR>Just my $.02<BR><BR> -
Dmitri.<BR><BR>-----Original Message-----<BR>From:
rt-devel-bounces@lists.bestpractical.com on behalf of Philip Kime<BR>Sent: Mon
2/12/2007 6:04 PM<BR>To: rt-devel@lists.bestpractical.com<BR>Subject: [Rt-devel]
[PATCH]: Ticket transaction querying in REST interfaceis not restrictive
enough<BR><BR>Against 3.6.3 to
file<BR><BR><rtpath>/share/html/REST/1.0/Forms/ticket/history<BR><BR>This
patch fixes the following issue:<BR><BR>rt show
ticket/N/history/id/M<BR><BR>succeeds where transaction M has nothing to do with
ticket N. Put another way, transaction queries always succeed if the transation
number is valid.<BR><BR>PK<BR><BR>--<BR>Philip Kime<BR>NOPS Systems
Architect<BR>310 401 0407<BR><BR><BR></FONT></P></BODY></HTML>