Jira Service Desk for Server provides Java APIs that list available service desks and the request types on them. These APIs take an ApplicationUser
object and perform a security check to confirm that the user is allowed to access the service desk etc.
As far as I can tell, none of those APIs work for customers — ie portal-only users. The APIs respond with data when accessed by a normal Jira user, but not customers. This doesn’t make sense to me: customers can use the JSD portal website just fine… but the APIs refuse to provide the service desks and request types those same customers see in the portal.
This code demonstrates the problem:
@GET
@Path("/sd/{serviceDeskId}/rt/{requestTypeId}")
public Response getTest(@PathParam("serviceDeskId") int serviceDeskId, @PathParam("requestTypeId") int requestTypeId) {
ApplicationUser user = jiraAuthenticationContext.getLoggedInUser();
String userKey = user.getKey();
log.debug(
serviceDeskService.getServiceDeskById(user, serviceDeskId).fold(
(error) -> userKey + " getServiceDeskById error: " + error.getMessage(),
(serviceDesk) -> userKey + " getServiceDeskById OK: " + serviceDesk.getProjectName()
)
);
log.debug(
portalService.getPortalForId(user, 1).fold(
(error) -> userKey + " getPortalForId error: " + error.getMessage(),
(portal) -> userKey + " getPortalForId OK: " + portal.getName()
)
);
RequestTypeQuery requestTypeQuery = requestTypeService.newQueryBuilder().serviceDesk(serviceDeskId).requestType(requestTypeId).build();
log.debug(
requestTypeService.getRequestTypes(user, requestTypeQuery).fold(
(error) -> userKey + " getRequestTypes error: " + error.getMessage(),
(requestTypes) -> userKey + " getRequestTypes OK: " + requestTypes.size() + " request types"
)
);
log.debug(
serviceDeskService.getServiceDesks(user, new SimplePagedRequest(0, 100)).fold(
(error) -> userKey + " getServiceDesks error: " + error.getMessage(),
(serviceDesks) -> userKey + " getServiceDesks OK: " + serviceDesks.size() + " service desks"
)
);
return Response.ok("Done").build();
}
That code should load a service desk, a portal, and a request type, then log the results. It works fine for administrators and Jira agents, resulting in logs like this:
admin getServiceDeskById OK: Test Desk
admin getPortalForId OK: Test Desk
admin getRequestTypes OK: 1 request types
admin getServiceDesks OK: 2 service desks
But for a customer who only has portal access, the logs are:
portal@example.com getServiceDeskById error: sd.agent.servicedesk.error.project.nopermission : 'You don't have permission to access this Service Desk.'
portal@example.com getPortalForId error: sd.portal.error.permission : 'You do not have permission to view this Portal.'
portal@example.com getRequestTypes error: sd.agent.servicedesk.error.project.nopermission : 'You don't have permission to access this Service Desk.'
portal@example.com getServiceDesks OK: 0 service desks
The API is telling us that the customer cannot access that service desk, or indeed any service desks at all.
So my questions are:
-
Is this a bug?
It seems wrong that APIs refuse permission to customers, because it is all information they can see in the portal. But perhaps it is deliberate? I have seen some bugs raised on this, such as JSDECO-80 and this question, but there has been no indication from Atlassian whether it considered a bug or not. -
How are we meant to access the APIs for customers?
Is there some other way we are meant to retrieve this data for customers? We could possibly use the ServiceDeskManager class which doesn’t take a user or perform a security check, but then how do we make sure the customer is authorised to view the service desk? ServiceDeskPermissionService doesn’t have any suitable methods to let us perform that security check ourselves.
Note that I tested this in several versions of Jira Service Desk (3.3.0, 3.5.0, 3.7.0 and 3.9.0) and found they all have the same behaviour.