Jump to content


Click here to lend your support to: Traq and make a donation at pledgie.com !
Photo

API call for adding comments to an existing ticket

api comments

  • Please log in to reply
6 replies to this topic

#1 csebe

csebe

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 20 May 2015 - 03:49 PM

Hi there!

 

Thanks for this product! It is the nearest to my desired simplicity and functionality I could find in Softaculous.

 

I need to extend it a bit, to accept adding/modifying tickets by email.

As I can see this is not part of the standard product (I do have version 3.5.2. at my hosting) so I thought of a workaround for this, that in my particular setup would work very well:

my email server passes the emails on a certain address to a perl script, that parses the MIME then uses your POST API to add a ticket.

 

I am almost there with adding a ticket using the API however I want to allow users to add comments to existing tickets too. Is there an undocumented API for this too by any chance? Or any plan to implement this? What I would need is actually something call-able like this from curl:

curl http://path.to/traq/my_projects/tickets/addcomment -d access_token=3c3f1af318fa8c78b7caef59ac016c90cc8179b8 \
  -d comment="A new comment" -d ticket_id=5

Or something similar like:

curl http://path.to/traq/my_projects/tickets/5/comment -d access_token=3c3f1af318fa8c78b7caef59ac016c90cc8179b8 \
  -d comment="A new comment"

(In the same idea, some more options to add/modify tickets and comments would be super, like: specifying the component for which the ticket is to be added, milestone, etc. In fact, pretty much everything should be exposed throught the API I suppose...)

 

Thanks in advance,

 

Lian

 



#2 Jack

Jack

    Project Founder

  • Administrators
  • 673 posts
  • LocationAustralia

Posted 21 May 2015 - 02:23 AM

I never did get around to finishing the API documentation, was busy with developing Traq 4 and now with university classes. I will have to find some time to try and finish it.

 

Anyway, yes, there is a way to add comments to tickets. It's also the same way to update tickets.

curl http://path.to/traq/my_project/tickets/1/update -d access_token=abc123 -d comment="My comment"

To update the tickets properties, such as the status, pass "status" with the ID of the new status, for example:

curl http://path.to/traq/my_project/tickets/1/update -d access_token=abc123 -d status=2

To change any other property, pass the name of the form field and the new value. Looking at the update ticket form, the "Assigned to" field name is "assigned_to", so we'd just pass "assigned_to" with the users ID. The same goes for creating tickets and other things, whatever the form field is, simply pass it along.

 

The API pretty much works as if you're submitting a form, it just checks if "access_token" is set set and returns JSON instead of HTML.

 

The Traq 4 API will be much better, easier to use and more documented.



#3 csebe

csebe

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 21 May 2015 - 06:13 AM

That's super! Thank you very much Jack!



#4 csebe

csebe

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 21 May 2015 - 06:14 AM

Hi Jack,

 

I have a nice and strange problem :)

 

Whenever the string that is passed to the update ticket api call, contains " having a", the call fails !!!

I know, it sounds incredible, but please read on :))

 

Try something like this please on your test machine (be aware of the spaces, they are important!!):

curl http://www.yourdomain.com/traq/test-traq-api/tickets/13/update -d access_token=a0809[...] -d comment=" having f"

In this case, I get back a cryptic:

<!DOCTYPE html>
<html style="height:100%">
<head><title> 403 Forbidden
</title></head>
<body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;">
<div style="height:auto; min-height:100%; ">     <div style="text-align: center; width:800px; ; position:absolute; top: 30%; left:50%;">
        <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">403</h1>
<h2 style="margin-top:20px;font-size: 30px;">Forbidden
</h2>
<p>Access to this resource on the server is denied!</p>
</div></div><div style="color:#f0f0f0; font-size:12px;margin:auto;padding:0px 30px 0px 30px;position:relative;clear:both;height:100px;margin-top:-101px;background-color:#474747;border-top: 1px solid rgba(0,0,0,0.15);box-shadow: 0 1px 0 rgba(255, 255, 255, 0.3) inset;">
<br>Proudly powered by  <a style="color:#fff;" href="http://www.litespeedtech.com/error-page">LiteSpeed Web Server</a><p>Please be advised that LiteSpeed Technologies Inc. is not a web hosting company and, as such, has no control over content found on this site.</p></div></body></html>

As soon as you change the text with anything else, it works and returns the json, as expected.

 

I tested with adding a ticket too, and it happens the same, but if the " having m" text is given in the "summary" parameter this time.

 

Judging the fact it is the word "having" that is a keyword in SQL, maybe it is a SQL injection problem type or so?

 

Regards,

 

Lian



#5 csebe

csebe

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 03 June 2015 - 11:48 AM

Hi,

 

I have just discovered that it is not exclusively an API problem, but also a problem when using the regular Web interface.

 

To replicate, in any of your 3.5.2 installations try:

1. adding a ticket that contains the word "having" with spaces before/after (like in the string: "mama is having a boy") in the summary.

-- or --

2. updating a ticket and adding the word "having" with spaces before/after (like in the string: "mama is having a boy") in the description.

 

You'll get:

 

403/Forbidden!

Access to this resource on the server is denied.

 

I'll try fill in a bug too.

 

Cheers,

 

Lian



#6 Jack

Jack

    Project Founder

  • Administrators
  • 673 posts
  • LocationAustralia

Posted 03 June 2015 - 05:35 PM

I just tested this with Apache without any issues. I think it has something to do with the LiteSpeed web server. Reading over their security page, it appears it's a feature.



#7 csebe

csebe

    Newbie

  • Members
  • Pip
  • 5 posts

Posted 04 June 2015 - 06:03 AM

Hi Jack,

 

Indeed my webhosting uses LiteSpeed and not Apache and due to the security limitations I do not have access to see its "request filtering" config.

 

However, if this would be this the only reason, I would think that "mama is having a boy" should generate this error no matter where it is used. This is not so though: you can use it in the description when trying to add a ticket and it works ok (but it crashes when it is present in the summary). So, your code behind probably treat the 2 fields somehow differently behind the scene.

 

Anyway, it is not a big deal for me as I use it through the API and it is for my own use only: I have a regex to replace any 'having' with 'havin' and it works :) I am afraid that, maybe, there are other special keywords that will generate this behaviour, I just didn't bump into them, yet.

 

I'll install a local server and do some more tests one of these days.

 

Cheers,

 

Lian





Also tagged with one or more of these keywords: api, comments

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users