Version 0.3 of the Bugzilla REST API has been released. New in this version:
- name=value search for arbitrary fields; e.g “&cf_mycustomfield=somevalue”
- All timestamps are now in UTC, ISO 8601 format
- Support for OPTIONS
- Access-Control-Allow-Origin header now on all responses (permits cross-site requests)
- Support for downloading bug data for multiple bugs, in full, in a single request (see docs for search to find out how)
- Text searches now default to “contains_all” (as substrings, space-sep)
- Initial support for decent error codes – however, don’t rely on them not changing!
- Note that the timestamps format change is backwardly-incompatible.
- All API capabilities now work against bugzilla.mozilla.org, now that it’s been upgraded and patched.
- An advance warning: in the next release, the Configuration object’s “groups” hash will change to be keyed by ID rather than name (and so also the “id” field will disappear to be replaced by a “name” field).
Won’t allowing cross-site requests open the door for CSRF attacks on bugzilla from random webpages?
Ted: No, I don’t think so, because all Bugzilla API URLs require authentication parameters on the URL. It doesn’t use cookie auth or HTTP Basic Auth.
If that still leaves us open to CSRF, tell me how, quick! :-)