Hey Atlassian,
Now that this change has been rolled out, I see some problems:
Documentation incorrect for “RateLimit-Reason”
The constants described in the docs for the RateLimit-Reason field do not match what is returned in real life, or at least not for Confluence. Can someone please fix the docs to include the production values? And while you are there, maybe someone can also remove the now-irrelevant references to the “Beta” prefixes?
Per-object costs of certain operations destroy quotas in seconds, even on toy-sized sites
I asked a question in the very first post of this thread that (as far as I know) was never answered. Unfortunately, I just stumbled across the answer myself after being unexpectedly rate-limited on my test instance, and the answer is not good.
For reference, that question was:
Do requests that return multiple objects of a type incur a point-based cost for every single object? For example, if I request a group object that contains 15 users, am I billed 15*2=30 points for this request? (If an app inadvertently requests an enterprise group that contains 30,000 users, does that exhaust the app’s token bucket with one request?)
I have a test space on my test instance running Confluence Premium. This space shows a completely trivial set of users in the space permissions configuration:
- 2 real users
- 2 real groups
- 15 app users
The /api/v2/spaces/{spaceId}/permissions endpoint consumes two points. Not per call. Not per principal. Two points per permission.
For whatever reason, Confluence generates 480 permissions for this space with two real users, so invoking this endpoint once consumes nearly 1,000 points (assuming we follow the cursors). I have not configured any permissions manually, nor have I added any users or apps manually to the space, so the site and the space are configured with whatever Confluence does natively.
Is this point cost intentional? For a site with two users?
If so, vendors are effectively prohibited from using a basic product API that has been functional for years, even on a toy-sized test instance.
In this scenario, would it not be more appropriate to add heavy warnings to the docs for this API and to start the process to withdraw this endpoint from service? (And can you please then provide vendors with an alternative, non-expensive API that allows us to fetch the information we need?)