Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Leakage of internal session identifier in report API #44

Open
kroky opened this issue Jul 28, 2022 · 3 comments
Open

Leakage of internal session identifier in report API #44

kroky opened this issue Jul 28, 2022 · 3 comments
Labels
bug Something isn't working

Comments

@kroky
Copy link

kroky commented Jul 28, 2022

I currently have this data in my sample timeld.org timehseet:

{"@id":"victor/api-integration","@type":"Timesheet"}
{"@id":"wDvUoLR9heTXa9ff7rE4SW/1","activity":"timeld local setup and connection","duration":30,"session":{"@id":"wDvUoLR9heTXa9ff7rE4SW"},"start":{"@value":"2022-07-27T13:04:36.424Z","@type":"http://www.w3.org/2001/XMLSchema#dateTime"},"@type":"Entry","vf:provider":{"@id":"http://timeld.org/victor"}}
{"@id":"wDvUoLR9heTXa9ff7rE4SW/2","activity":"api review","duration":0.2,"session":{"@id":"wDvUoLR9heTXa9ff7rE4SW"},"start":{"@value":"2022-07-27T13:05:19.404Z","@type":"http://www.w3.org/2001/XMLSchema#dateTime"},"@type":"Entry","vf:provider":{"@id":"http://timeld.org/victor"}}

API docs suggest that session key of the timesheet entry should point to the Timesheet record. Here, I think it points to my local timeld device I used timeld cli on to create these entries. First row suggest ID of the timesheet record as "victor/api-integration" while the actual entry session ID is wDvUoLR9heTXa9ff7rE4SW. What should I use when importing?

Note that I think both Prejournal and Tiki doesn't use the concept of Timesheet records as individual entities. Is it possible to keep the timesheet record for one user as one entity and use that for all entries?
@gsvarovsky
Copy link
Member

What should I use when importing?

Sorry, this needs to be clearer in the docs.

The "session" you see in the report is a generated internal identifier. We should probably hide that.

When importing, the "session" key in the JSON should be the timesheet identity (in your case, yes, victor/api-integration).

If you report on the imported data, you will see that the session has been switched to a new generated key.

Note that I think both Prejournal and Tiki doesn't use the concept of Timesheet records as individual entities. Is it possible to keep the timesheet record for one user as one entity and use that for all entries?

You can certainly do that, yes. However, it seems strange that there would be only one timesheet for everything the user ever does. Maybe you mean "keep the timesheet record [in a project] for one user as one entity"? In that case, maybe concatenate the project name and the user name to make a timesheet name, e.g. fedb-george.

@kroky
Copy link
Author

kroky commented Jul 29, 2022

Thanks George. That definitely works!

@gsvarovsky
Copy link
Member

I'll leave the ticket open to deal with this part:

Sorry, this needs to be clearer in the docs.

The "session" you see in the report is a generated internal identifier. We should probably hide that.

@gsvarovsky gsvarovsky changed the title API session reference Leakage of internal session identifier in report API Aug 15, 2022
@gsvarovsky gsvarovsky mentioned this issue Aug 26, 2022
Closed
@gsvarovsky gsvarovsky added the bug Something isn't working label Aug 29, 2022
@gsvarovsky gsvarovsky mentioned this issue Sep 21, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kroky @gsvarovsky