[Rt-devel] REST: should retrieving a particular attachment require a ticket number?

Jesse Vincent jesse at bestpractical.com
Mon Sep 4 15:00:20 EDT 2006

On Tue, Jul 25, 2006 at 03:26:09PM -0700, Dmitri Tikhonov wrote:
> Dear fellow RTers,
> Looking at html/REST/1.0/Forms/ticket/attachments, I realized that one
> does not really need to pass the ticket id in order to see a particular
> attachment.  As it stands right now, however, this is enforced by the
> implementation.  Let's look at an example run of 'rt' utility
> (attached).  Since RT::Attachment is an object in its own right, why
> not allow it to be accessed as such?  Furthermore, ticket-loading code
> at the top of html/REST/1.0/Forms/ticket/attachments does not do
> anything useful, because it does not check whether a specific
> attachment is actually associated with the ticket.

I believe that this was an attempt at "Security" back around RT 3.0, in
a perhaps flawed attempt to stop people from brute-force iterating over
attachments to find things.  

> Attached patch moves ticket-loading code to the place where it's
> needed, so one can access any attachment using rt tool by saying
>   rt show ticket/0/attachments/6

This scares me a bit.

> To take things even further, why shouldn't there be
> html/REST/1.0/Forms/attachment?  Then we could say things like
>   rt show attachment/6

This doesn't scare me. I'll take a patch for it ;)

More information about the Rt-devel mailing list