Context:
I find DriveItem's with request calls like the following:
https://graph.microsoft.com/v1.0/sites/knockycode.sharepoint.com,{siteId},{driveId}/drive/items/{itemId}/children
Keep in mind that {siteId}, {driveId}, and {itemId} are placeholders. Examples values are 01CGQD2IXV5WLDIQPZH5CLXFCTZCV2ERYC, not guids like 44434afe-d8fb-470e-904e-fc865e029b30
Question:
I persist in my database these Id values with the assumption that they will not be regenerated on the SharePoint side. Unless I go on SharePoint and do the "Reset all Document IDs" action.
Is my assumption correct?
Related
If I navigate to /rest/api/2/issue/createmeta/PROJ/issuetype/N (in this case, I'm getting Task), the list of fields returned is incomplete. There are a number of customfields that are in use (I can see them both in the tickets themselves, and also in /plugins/servlet/project-config/PROJ/fields ) that are in the createmeta data.
I'm really trying to do this in python jira, where I'm using "expand='projects.issuetypes.fields'" in the createmeta() call, but I figured I'd double-check the results in the rest API directly, and I'm getting the same results there, too.
This is happening in jira 8.20.7.
Essentially, what I'm trying to do, is to programatically get a name/id mapping of all fields in the ticket type. I'm having far more difficulty doing that than I thought there would be. I would do it based on /rest/api/2/field but the jira admins have allowed some duplicated names...
EDIT: I realized that it might be worth noting that some of the fields I'm looking for are coming from a ServiceDesk form, although, as far as I can tell, there's no way to determine that, since one of the missing fields contains the name of the form.
Why are you using createmeta endpoint?
Instead of that, in order to get all of the customfields and their values; just note their id and get the values from /rest/api/2/issue/{issueKey} endpoint.
When you send a GET request to /rest/api/2/issue/{issueKey} endpoint, you will get a JSON object which contains "fields" object in it.
And using the "fields" you can determine all of the values that include system fields (description, assignee, etc.) and custom fields (like customfield_<customfieldid>).
And for a general approach, you may want to look at the field types in that response.
I'm on a project in which I need to get data from a ServiceNow instance and treat all data with PowerBI. I'm able to retrieve a big amount of data (Snow collect a lot of data), but I still need a way to filter data correctly. I'm calling to this URL:
Besides, I want also to apply a filter to retrieve just some specific registries from the table Requested Items. For that, I use the sysparm_query parameter to filter the field "cmdb_ci" and more specifically it's "name", something like:
&sysparm_query=cmdb_ci=What I need to Filter
Apart from this, I have also tried:
&sysparm_query=cmdb_ci.value=What I need to Filter
&sysparm_query=cmdb_ci.display_value=What I need to Filter
&sysparm_query=cmdb_ci.sys_id=What I need to Filter
&sysparm_query=cmdb_ci.name=What I need to Filter
But still not found the solution... as all these does not respond the solution needed.
Does someone know how I can manage this?
Thanks!!
JLG
There are two "Configuration item" fields in sc_req_item: cmdb_ci and configuration_item. Make sure that you are using the correct one. Either cmdb_ci.name=value or configuration_item.name=value should work, depending on which of the two fields you are using. cmdb_ci.value and cmdb_ci.display_value will not work as there are no fields on the record with these names. cmdb_ci.sys_id should work if you are supplying a sys_id (although it is redundant to type .sys_id for a reference field).
You should first verify your query through the ServiceNow UI before attempting to use it in an API call.
Type sc_req_item.list in the Filter navigator
On the filter list select "Show related fields"
Get your filter to work correctly
Right-click on the filter and select "Copy query"
The next step is to test it using the REST API Explorer.
Final step is to configure your client tool (PowerBI).
GET mailFolders/archivemsgfolderroot
I use distinguish name to get this in-place mailbox folder
and the response is:
...
"displayName": "Top of Information Store",
...
However, this is not the custom name I modified on office365.
Is it possible to get that custom name?
I also try to get distinguish folder in EWS managed API
<t:DistinguishedFolderId Id="archivemsgfolderroot" />
It returns the same name
...
<t:DisplayName>Top of Information Store</t:DisplayName>
...
--
Add two image ref.
how I add it
how it looks like at outlook
thanks for help
I see that a user can set a property, "ArchiveName", to give their archive mailbox a custom name. In powershell, this would be using a Set-Mailbox cmdlet.
https://learn.microsoft.com/en-us/powershell/module/exchange/mailboxes/set-mailbox?view=exchange-ps
That doc states that it applies to Outlook and OWA and, after a quick look, I can't see a way to get that property other than using Get-Mailbox which is not ideal. So as best I can tell it's not exposed through EWS or REST and thus probably isn't available through Microsoft Graph.
I would encourage you to file a suggestion: https://officespdev.uservoice.com/forums/224641-feature-requests-and-feedback/category/101632-microsoft-graph-o365-rest-apis
You can try the following endpoint
https://graph.microsoft.com/v1.0/me/mailFolders/archivemsgfolderroot/childFolders/AAMkADQ5OWMzMGEwLTg4ZjktNDk1Ny05NzFmLWRhZjg4ODU0YzUwYwAuAAAAAACtqDzk9UzLSpZsdesjndr1AQBNzq1HG8BvRYqBQbPeZSPaAAGdwZCCAAA=
(Replace the id to yours):https://graph.microsoft.com/v1.0/me/mailFolders/archivemsgfolderroot/childFolders/id
We ran the Fortify scan and had some Access Control: Database issues. The code is getting the textbox value and setting it to a string variable. In this case, it's passing the value from the TextBox to the stored procedure in a database. Any ideas on how I can get around this Access Control: Database issue?
Without proper access control, the method ExecuteNonQuery() in DataBase.cs
can execute a SQL statement on line 320 that contains an attacker-controlled primary
key, thereby allowing the attacker to access unauthorized records.
Source: Tool.ascx.cs:591 System.Web.UI.WebControls.TextBox.get_Text()
rptItem.FindControl("lblClmInvalidEntry").Visible = false;
ToolDataAccess.UpdateToolData(strSDN, strSSNum, strRANC, strAdvRecDate, strAdvSubDate, strClmRecDate, strClmAuth, strClmSubDate, strAdvAuth, txtNoteEntry.Text);
Sink: DataBase.cs:278
System.Data.SqlClient.SqlParameterCollection.Add()
// Add parameters
foreach (SqlParameter parameter in parameters)
cmd.Parameters.Add(parameter);
The point of "Access Control: Database" is where it isn't being specific enough in the query and so could potentially allow a user to see information that they're not supposed to.
An easy example of this vulnerability would be a payroll database where there is a textbox that says the ID of the employee and gives their salary, this could potentially allow the user to change the ID and see the salary of other employees.
Another example where this is often intended functionality is in a website URL where the product ID is used in a parameter, meaning a user could go through every product you have on your site. But as this only allows users to see information they're supposed to be able to, it's not particularly a security issue.
For instance:
"SELECT account_balance FROM accounts WHERE account_number = " + $input_from_attacker + ";"
// even if we safely build the query above, preventing change to the query structure,
// the attacker can still send someone else's account number, and read Grandma's balance!
As this is pretty context based, it's difficult to determine statically so there are lots of examples where Fortify may catch this but it's actually intended functionality. That's not to say the tool is broken, it's just one of the limitations of static analysis and depending on what your program is supposed to be doing it may or may not be intended.
If this is intended to work like this, then I would suggest auditing it as not an issue or suppressing the issue.
If you can see that this is definitely an issue and users can see information that they shouldn't be able to, then the stored procedure needs to be more specific so that users can only see information they should be able to. However SCA will likely still pick this up in a latter scan so you would still then need to audit it as fixed and no longer an issue.
I'm fairly familiar with REST principles, and have read the relevant dissertation, Wikipedia entry, a bunch of blog posts and StackOverflow questions on the subject, but still haven't found a straightforward answer to a common case:
I need to request a resource to display. Depending on the resource's state, I need to render either a read-only or an editable representation. In both cases, I need to GET the resource. How do I construct a URL to get the read-only or editable version?
If my user follows a link to GET /resource/<id>, that should suffice to indicate to me that s/he needs the read-only representation. But if I need to server up an editable form, what does that URL look like? GET /resource/<id>/edit is obvious, but it contains a verb in the URL. Changing that to GET /resource/<id>/editable solves that problem, but at a seemingly superficial level. Is that all there is to it -- change verbs to adjectives?
If instead I use POST to retrieve the editable version, then how do I distinguish between the POST that initially retrieves it, vs the POST that saves it? My (weak) excuse for using POST would be that retrieving an editable version would cause a change of state on the server: locking the resource. But that only holds if my requirements are to implement such a lock, which is not always the case. PUT fails for the same reason, plus PUT is not enabled by default on the Web servers I'm running, so there are practical reasons not to use it (and DELETE).
Note that even in the editable state, I haven't made any changes yet; presumably when I submit the resource to the Web server again, I'd POST it. But to get something that I can later POST, the server has to first serve up a particular representation.
I guess another approach would be to have separate resources at the collection level:
GET /read-only/resource/<id> and GET /editable/resource/<id> or GET /resource/read-only/<id> and GET /resource/editable/<id> ... but that looks pretty ugly to me.
Thoughts?
1) It is perfectly valid to have two distinct resources, one for viewing and one for editing some domain concept. Just be aware that because they are two different URIs from REST's perspective they are two different resources. Too often people conflate resource with domain object. That's why they end up being stuck only doing CRUD.
2) Don't get too hung up on the name of the resource. The important thing is that you realize that what the URI points to is a "thing", "a resource". If that's more obvious to you with editable instead of edit then use that. Having a verb in your URL doesn't make your application wrong, it just makes it a bit less readable to the human developer. Using a verb in the URL to try and redefine the semantics of the HTTP method, now that's a violation of the uniform interface constraint.
In REST, editing an existing resource is accomplished by a client GET-ing a representation of that resource, making changes to the representation, and then doing a PUT of the new representation back to the server.
So to just read a resource your REST client program would do a:
GET http://www.example.com/SomeResource
And to edit that resource:
GET http://www.example.com/SomeResource
... edit it ...
PUT http://www.example.com/SomeResource
Normally simultaneous updates are handled by letting the last PUT arriving at the server overwrite the earlier ones, on the assumption that it represents a newer state. But in your case you want to guard against this.
Carefully consider #Jason's suggestion to maintain an optional parallel lock resource for each main resource. Your client would first create the lock, do the edit, then delete the lock. Your system would need to release a lock automatically if the user making the lock subsequently never saves any changes. This would look like:
GET http://www.example.com/SomeResource
... user presses an edit button ...
PUT http://www.example.com/SomeResource/lock
... user edits the resource's representation ...
PUT http://www.example.com/SomeResource
DELETE http://www.example.com/SomeResource/lock
You'd need to do some appropriate error handling if the user is trying to edit a resource that's locked by someone else.
It sounds like you feel you're constrained by the current limitations of HTML. If you use a server-side REST framework like Restlet (for Java), it supports the notion of "overloaded POST", where you can use POST but tack on a query string argument like method=PUT or method=DELETE. If you're writing your own server-side components they can use this trick too.
There are tricks you can play at the HTML level too. For instance your page can have a read-only part that's initially displayed, and an input form that's initially not shown. When the user presses the edit button, your JavaScript hides the read-only part and shows the input form.
Be sure to read Richardson and Ruby's Restful Web Services (O'Reilly) too. It's extremely helpful.
I don't think returning a form or just values is up to a REST server, but the responsibility of the client. Whether a resource is editable is a property of the resource, and not something defined by the URL.
In other words: The URL for getting the resource is GET /resource/<id>. This has a property editable. If a user wants a form it can retrieve the resource from the same URL and populate the form. The client can than PUT/POST changes.
How do I construct a URL to get the read-only or editable version?
There's an underlying problem here, which is that you are constructing URLs in the first place - appending IDs to hard-coded URLs is not REST. Roy Fielding has written about this very mistake. Whichever document prompts you to edit the resource should contain the URI to the editable variant of that resource. You follow that URI, whether that's /resource/editable or /editable/resource is outside the scope of REST.
If instead I use POST to retrieve the editable version, then how do I distinguish between the POST that initially retrieves it, vs the POST that saves it?
You perform a GET (not a POST) to read the resource, and POST (or PUT) to write the resource.
If you want to create a lock on the resource in question, use POST to write to the resource (or the resource's container, with the resource ID encoded in the body of the POST), and have the server create a lock as a new resource, and return an ID of that resource as the response to the POST. (with authentication issues beyond the scope of your question or this answer)
Then to unlock the lock, either use a DELETE on the lock resource, or POST to the lock's container.
I guess your question could be "how to identify the readonly representation that return with GET action in PUT action?". You could do this:
<Root>
<readonly>
<p1><p1>
...
<readonly>
<others>
...
<others>
<Root>
After parsing the request XML from PUT you can ignore the readonly part and process others. In Response, return 200 status and leave a message saying the part in readonly is ignored.
Is it your expected?