API call for adding comments to an existing ticket

Support for Traq 3.x
Post Reply
User avatar
csebe
Newbie
Posts: 5
Joined: Thu May 21, 2015 1:16 am
Contact:

API call for adding comments to an existing ticket

Post by csebe » Thu May 21, 2015 1:49 am

Hi there!
 
Thanks for this product! It is the nearest to my desired simplicity and functionality I could find in Softaculous.
 
I need to extend it a bit, to accept adding/modifying tickets by email.
As I can see this is not part of the standard product (I do have version 3.5.2. at my hosting) so I thought of a workaround for this, that in my particular setup would work very well:
my email server passes the emails on a certain address to a perl script, that parses the MIME then uses your POST API to add a ticket.
 
I am almost there with adding a ticket using the API however I want to allow users to add comments to existing tickets too. Is there an undocumented API for this too by any chance? Or any plan to implement this? What I would need is actually something call-able like this from curl:

Code: Select all

curl http://path.to/traq/my_projects/tickets/addcomment -d access_token=3c3f1af318fa8c78b7caef59ac016c90cc8179b8 \
  -d comment="A new comment" -d ticket_id=5
Or something similar like:

Code: Select all

curl http://path.to/traq/my_projects/tickets/5/comment -d access_token=3c3f1af318fa8c78b7caef59ac016c90cc8179b8 \
  -d comment="A new comment"
(In the same idea, some more options to add/modify tickets and comments would be super, like: specifying the component for which the ticket is to be added, milestone, etc. In fact, pretty much everything should be exposed throught the API I suppose...)
 
Thanks in advance,
 
Lian
 

User avatar
Jack
Advanced Member
Posts: 666
Joined: Fri Mar 27, 2009 7:37 pm
Location: Australia

Re: API call for adding comments to an existing ticket

Post by Jack » Thu May 21, 2015 12:23 pm

I never did get around to finishing the API documentation, was busy with developing Traq 4 and now with university classes. I will have to find some time to try and finish it.
 
Anyway, yes, there is a way to add comments to tickets. It's also the same way to update tickets.

Code: Select all

curl http://path.to/traq/my_project/tickets/1/update -d access_token=abc123 -d comment="My comment"
To update the tickets properties, such as the status, pass "status" with the ID of the new status, for example:

Code: Select all

curl http://path.to/traq/my_project/tickets/1/update -d access_token=abc123 -d status=2
To change any other property, pass the name of the form field and the new value. Looking at the update ticket form, the "Assigned to" field name is "assigned_to", so we'd just pass "assigned_to" with the users ID. The same goes for creating tickets and other things, whatever the form field is, simply pass it along.
 
The API pretty much works as if you're submitting a form, it just checks if "access_token" is set set and returns JSON instead of HTML.
 
The Traq 4 API will be much better, easier to use and more documented.
Last edited by Jack on Thu May 21, 2015 12:36 pm, edited 1 time in total.

User avatar
csebe
Newbie
Posts: 5
Joined: Thu May 21, 2015 1:16 am
Contact:

Re: API call for adding comments to an existing ticket

Post by csebe » Thu May 21, 2015 4:13 pm

That's super! Thank you very much Jack!

User avatar
csebe
Newbie
Posts: 5
Joined: Thu May 21, 2015 1:16 am
Contact:

Re: API call for adding comments to an existing ticket

Post by csebe » Thu May 21, 2015 4:14 pm

Hi Jack,
 
I have a nice and strange problem :)
 
Whenever the string that is passed to the update ticket api call, contains " having a", the call fails !!!
I know, it sounds incredible, but please read on :))
 
Try something like this please on your test machine (be aware of the spaces, they are important!!):

Code: Select all

curl http://www.yourdomain.com/traq/test-traq-api/tickets/13/update -d access_token=a0809[...] -d comment=" having f"
In this case, I get back a cryptic:

Code: Select all

<!DOCTYPE html>
<html style="height:100%">
<head><title> 403 Forbidden
</title></head>
<body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;">
<div style="height:auto; min-height:100%; ">     <div style="text-align: center; width:800px; ; position:absolute; top: 30%; left:50%;">
        <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">403</h1>
<h2 style="margin-top:20px;font-size: 30px;">Forbidden
</h2>
<p>Access to this resource on the server is denied!</p>
</div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;">
<br>Proudly powered by  <a style="color:#fff;" href="http://www.litespeedtech.com/error-page">LiteSpeed Web Server</a><p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>

As soon as you change the text with anything else, it works and returns the json, as expected.
 
I tested with adding a ticket too, and it happens the same, but if the " having m" text is given in the "summary" parameter this time.
 
Judging the fact it is the word "having" that is a keyword in SQL, maybe it is a SQL injection problem type or so?
 
Regards,
 
Lian
Last edited by csebe on Fri May 22, 2015 2:02 am, edited 1 time in total.

User avatar
csebe
Newbie
Posts: 5
Joined: Thu May 21, 2015 1:16 am
Contact:

Re: API call for adding comments to an existing ticket

Post by csebe » Wed Jun 03, 2015 9:48 pm

Hi,
 
I have just discovered that it is not exclusively an API problem, but also a problem when using the regular Web interface.
 
To replicate, in any of your 3.5.2 installations try:
1. adding a ticket that contains the word "having" with spaces before/after (like in the string: "mama is having a boy") in the summary.
-- or --
2. updating a ticket and adding the word "having" with spaces before/after (like in the string: "mama is having a boy") in the description.
 
You'll get:
 
403/Forbidden!
Access to this resource on the server is denied.
 
I'll try fill in a bug too.
 
Cheers,
 
Lian

User avatar
Jack
Advanced Member
Posts: 666
Joined: Fri Mar 27, 2009 7:37 pm
Location: Australia

Re: API call for adding comments to an existing ticket

Post by Jack » Thu Jun 04, 2015 3:35 am

I just tested this with Apache without any issues. I think it has something to do with the LiteSpeed web server. Reading over their security page, it appears it's a feature.

User avatar
csebe
Newbie
Posts: 5
Joined: Thu May 21, 2015 1:16 am
Contact:

Re: API call for adding comments to an existing ticket

Post by csebe » Thu Jun 04, 2015 4:03 pm

Hi Jack,
 
Indeed my webhosting uses LiteSpeed and not Apache and due to the security limitations I do not have access to see its "request filtering" config.
 
However, if this would be this the only reason, I would think that "mama is having a boy" should generate this error no matter where it is used. This is not so though: you can use it in the description when trying to add a ticket and it works ok (but it crashes when it is present in the summary). So, your code behind probably treat the 2 fields somehow differently behind the scene.
 
Anyway, it is not a big deal for me as I use it through the API and it is for my own use only: I have a regex to replace any 'having' with 'havin' and it works :) I am afraid that, maybe, there are other special keywords that will generate this behaviour, I just didn't bump into them, yet.
 
I'll install a local server and do some more tests one of these days.
 
Cheers,
 
Lian
Last edited by csebe on Thu Jun 04, 2015 4:04 pm, edited 1 time in total.

Post Reply

Who is online

Users browsing this forum: No registered users and 11 guests