I am writing a JIRA add-on with Connect that may span multiple issues or projects. I have some functionality that I would like to only be accessible to administrators (people having the ADMINISTER permission in JIRA). For example, only users with this permission in JIRA should be allowed to POST /do-stuff.
How can the server (Node with atlassian-connect-express here, for that matter) verify that the user indeed has this permission?
There is the /mypermissions
call in API, but since the server always makes requests as the fake addon user, it won't give me the permissions of user I want.
There also is /user/permission/search
, but this one requires issue or project key (which make no sense to me, since the addon is not really about issues or projects).
So, how can I ask JIRA for permissions of a user? How can I implement authorization on the server side at all?
UPDATE: Thanks for the answers! I am aware of the options on the client side, but I was wondering about the server side. As we all know the client can't be trusted, there's nothing stopping the malicious users from forging requests (reads as well as writes). The real authorization has to happen on the server side.
I think for now I'll stick to checking if the user is in administrators group.
Community moderators have prevented the ability to post new answers.
Hi Konrad,
For your specific question about getting user permissions via a server-server call, there doesn't seem to be an easy way to do this today. Feel free to watch / vote for https://jira.atlassian.com/browse/JRA-47372 which I have raised about the shortcoming of the endpoint you mentioned.
However, if what you want to do is hide / block certain actions from users unless they are admins, this sounds like a perfect use case for conditions, namely the user_is_admin
condition - apply this to the web item / web panel containing the admin functions and the connect platform will take care of only showing it to admin users:
{ "modules": { "webPanels": [ { "location": "atl.jira.view.issue.right.context", "conditions": [ { "condition": "user_is_admin" } ] // ... // } ] } }
Alternatively, you could follow and add to this issue: https://ecosystem.atlassian.net/browse/AC-1080
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Konrad.
I suggest doing either of the following.
"invert":true
, and rely on JIRA's condition logic to do the permissioning for you. E.g. your admin panel will be shown to admins and your non-admin panel will be shown to non-admins.mypermissions
API from the browser, because this will run as the browser user.The situation in which this will not work is if you are 100% server-to-server.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Konrad,
Did you have the opportunity to check this answer? https://answers.atlassian.com/questions/38542
Also check this documentation for JIRA 7: https://docs.atlassian.com/jira/REST/latest/#api/2/group-getUsersFromGroup
Cheers,
Renato Rudnicki
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thank you, but I need *permissions*, not *groups*.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Community moderators have prevented the ability to post new answers.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.