Server-side authorization with Connect

Konrad Garus
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
November 25, 2015

I am writing a JIRA add-on with Connect that may span multiple issues or projects. I have some functionality that I would like to only be accessible to administrators (people having the ADMINISTER permission in JIRA). For example, only users with this permission in JIRA should be allowed to POST /do-stuff.

How can the server (Node with atlassian-connect-express here, for that matter) verify that the user indeed has this permission?

There is the /mypermissions call in API, but since the server always makes requests as the fake addon user, it won't give me the permissions of user I want.

There also is /user/permission/search, but this one requires issue or project key (which make no sense to me, since the addon is not really about issues or projects).

So, how can I ask JIRA for permissions of a user? How can I implement authorization on the server side at all?


UPDATE: Thanks for the answers! I am aware of the options on the client side, but I was wondering about the server side. As we all know the client can't be trusted, there's nothing stopping the malicious users from forging requests (reads as well as writes). The real authorization has to happen on the server side.

I think for now I'll stick to checking if the user is in administrators group.

4 answers

1 accepted

Comments for this post are closed

Community moderators have prevented the ability to post new answers.

Post a new question

1 vote
Answer accepted
James Hazelwood
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
November 25, 2015

Hi Konrad,

For your specific question about getting user permissions via a server-server call, there doesn't seem to be an easy way to do this today. Feel free to watch / vote for https://jira.atlassian.com/browse/JRA-47372 which I have raised about the shortcoming of the endpoint you mentioned.

However, if what you want to do is hide / block certain actions from users unless they are admins, this sounds like a perfect use case for conditions, namely the user_is_admin condition - apply this to the web item / web panel containing the admin functions and the connect platform will take care of only showing it to admin users:

 

{
    "modules": {
        "webPanels": [
            {
                "location": "atl.jira.view.issue.right.context",
                "conditions": [
                    {
                        "condition": "user_is_admin"
                    }
                ]
					// ... //
            }
        ]
    }
}
0 votes
peterb
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
November 25, 2015

Alternatively, you could follow and add to this issue: https://ecosystem.atlassian.net/browse/AC-1080

0 votes
peterb
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
November 25, 2015

Hi Konrad.

I suggest doing either of the following.

  • Display content selectively using 2 user_is_admin conditions, one with "invert":true, and rely on JIRA's condition logic to do the permissioning for you. E.g. your admin panel will be shown to admins and your non-admin panel will be shown to non-admins.
  • Call the mypermissions API from the browser, because this will run as the browser user.

The situation in which this will not work is if you are 100% server-to-server.

0 votes
rrudnicki
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
November 25, 2015

Hi Konrad, 

Did you have the opportunity to check this answer? https://answers.atlassian.com/questions/38542

Also check this documentation for JIRA 7: https://docs.atlassian.com/jira/REST/latest/#api/2/group-getUsersFromGroup

Cheers, 

Renato Rudnicki

Konrad Garus
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
November 25, 2015

Thank you, but I need *permissions*, not *groups*.

Comments for this post are closed

Community moderators have prevented the ability to post new answers.

Post a new question

TAGS
AUG Leaders

Atlassian Community Events