search

m-ld / timeld

Live shared timesheets
MIT License
1 stars 1 forks source link

Leakage of internal session identifier in report API #44

Open kroky opened 2 years ago

kroky commented 2 years ago

I currently have this data in my sample timeld.org timehseet:

{"@id":"victor/api-integration","@type":"Timesheet"}
{"@id":"wDvUoLR9heTXa9ff7rE4SW/1","activity":"timeld local setup and connection","duration":30,"session":{"@id":"wDvUoLR9heTXa9ff7rE4SW"},"start":{"@value":"2022-07-27T13:04:36.424Z","@type":"http://www.w3.org/2001/XMLSchema#dateTime"},"@type":"Entry","vf:provider":{"@id":"http://timeld.org/victor"}}
{"@id":"wDvUoLR9heTXa9ff7rE4SW/2","activity":"api review","duration":0.2,"session":{"@id":"wDvUoLR9heTXa9ff7rE4SW"},"start":{"@value":"2022-07-27T13:05:19.404Z","@type":"http://www.w3.org/2001/XMLSchema#dateTime"},"@type":"Entry","vf:provider":{"@id":"http://timeld.org/victor"}}

API docs suggest that session key of the timesheet entry should point to the Timesheet record. Here, I think it points to my local timeld device I used timeld cli on to create these entries. First row suggest ID of the timesheet record as "victor/api-integration" while the actual entry session ID is wDvUoLR9heTXa9ff7rE4SW. What should I use when importing?

Note that I think both Prejournal and Tiki doesn't use the concept of Timesheet records as individual entities. Is it possible to keep the timesheet record for one user as one entity and use that for all entries?

gsvarovsky commented 2 years ago

What should I use when importing?

Sorry, this needs to be clearer in the docs.

The "session" you see in the report is a generated internal identifier. We should probably hide that.

When importing, the "session" key in the JSON should be the timesheet identity (in your case, yes, victor/api-integration).

If you report on the imported data, you will see that the session has been switched to a new generated key.

Note that I think both Prejournal and Tiki doesn't use the concept of Timesheet records as individual entities. Is it possible to keep the timesheet record for one user as one entity and use that for all entries?

You can certainly do that, yes. However, it seems strange that there would be only one timesheet for everything the user ever does. Maybe you mean "keep the timesheet record [in a project] for one user as one entity"? In that case, maybe concatenate the project name and the user name to make a timesheet name, e.g. fedb-george.

kroky commented 2 years ago

Thanks George. That definitely works!

gsvarovsky commented 2 years ago

I'll leave the ticket open to deal with this part:

Sorry, this needs to be clearer in the docs.

The "session" you see in the report is a generated internal identifier. We should probably hide that.