Discussions
"System ()" in attendance comment
about 1 year ago by Pascal Lacmann
Hello,
we have an external time booking tool and send the attendances via the API to Personio.
Today one of our employees booked some time with the following comment: "Test System (Munich)"
When calling the attendance API, it returns a 403 Access denied. We think that this request is interpreted as code execution or something like that because "Test-System (Munich)" or "Test System Munich" is working while "System ()" or "Test-System ()" doesn't work.
Is this intended behavior? Are there any other exclusions which we should forbid in the external system?
Example body:
{"attendances":[{"employee":123,"date":"2023-11-27","start_time":"16:30","end_time":"17:00","break":0,"comment":"Test System (Munich)"}],"skip_approval":true}