[Rt-devel] REST: should retrieving a particular attachment
require a ticket number?
Jesse Vincent
jesse at bestpractical.com
Mon Sep 4 15:00:20 EDT 2006
On Tue, Jul 25, 2006 at 03:26:09PM -0700, Dmitri Tikhonov wrote:
> Dear fellow RTers,
>
> Looking at html/REST/1.0/Forms/ticket/attachments, I realized that one
> does not really need to pass the ticket id in order to see a particular
> attachment. As it stands right now, however, this is enforced by the
> implementation. Let's look at an example run of 'rt' utility
> (attached). Since RT::Attachment is an object in its own right, why
> not allow it to be accessed as such? Furthermore, ticket-loading code
> at the top of html/REST/1.0/Forms/ticket/attachments does not do
> anything useful, because it does not check whether a specific
> attachment is actually associated with the ticket.
>
I believe that this was an attempt at "Security" back around RT 3.0, in
a perhaps flawed attempt to stop people from brute-force iterating over
attachments to find things.
> Attached patch moves ticket-loading code to the place where it's
> needed, so one can access any attachment using rt tool by saying
>
> rt show ticket/0/attachments/6
This scares me a bit.
> To take things even further, why shouldn't there be
> html/REST/1.0/Forms/attachment? Then we could say things like
>
> rt show attachment/6
>
This doesn't scare me. I'll take a patch for it ;)
More information about the Rt-devel
mailing list