Adding comments to tickets via Connect App sometimes fails

We are utilizing a Connect app to handle user impersonation to make comments on issues.

Using the Connect app we make an authorization call to “https://oauth-2-authorization-server.services.atlassian.com/oauth2/token” to get a token on behalf of a user. We then use that token to make a call to “servicedeskapi/request/{IssueKey}/comment” to add a comment from the user.

The problem we are seeing is that some accounts have access and are allowed to make comments on tickets where they are not the reporting and others cannot do so (403 Forbidden error from servicedeskapi endpoint).

What could be the difference between the tickets and/or users that would explain this discrepancy?

Welcome to the Atlassian developer community @MaxGrayer,

I was hoping that our user documentation would explain the ticket permission model, but it really only explains how to change the comment permissions. Unfortunately, I can’t find an authoritative reference, so my product knowledge will have to suffice (which is to say, the following may not be exhaustive). The following should be the only users who can comment:

  • Agents. On most Jira instances, that’s a subset of the active users. I think non-agent users can read and make some changes, but not do transitions or comments.
  • Customers for the ticket. That set might be as small as just the person who raised the ticket. But, with configuration (both project & ticket level), that might include participants or everyone in the organization to whom the reporter belongs.

JSM experts can correct me if I’m wrong. And I would recommend testing those cases explicitly, if you depend on comment permissions. Hopefully, that’s enough to unblock you.

Thanks for the welcome and the reply!

What’s confusing to me it that it seems “intermittent” in that users within the same level don’t behave the same. That lead me to believe that it was likely a project-level permission problem but that doesn’t seem to be it either.

Other Atlassian Support staff seem confused by the inconsistency too. “I was able to trace your successful updates per the comments applied within our backend logs … However, there were no errors surfaced per the logs”. That makes me think that in some cases the token being generated by the Connect App might not always have the proper permissions in some cases.

That might be consistent with the 2nd bullet. If you and I are both customers, you can’t comment on my ticket, even though we are “the same level”. Or do you mean something more specific by level?

But, Jira permissions are really a beast, made incredibly complicated by the possibility that customers might be doing something that applies their own effective permission model dynamically. :frowning: Are you seeing this behavior in your own testing? Do you have specific customers reporting it?

One path would be to provide some better diagnostics; pushing some of the responsibility back to customers to first help eliminate possibilities that might be of their own making.

Another path would be to have a “fallback” mode where a 403 gets a 2nd chance using asApp.

Both paths operate as if Jira’s permissions cannot be completely known, at either dev time or run time. I call it “Jira realism”. :wink: