Boards not visible for my addon system user

niels · April 26, 2018, 1:24pm

Hi, I have made an addon with the following scopes:

"scopes": [
    "ADMIN",
    "ACT_AS_USER"
  ]

I have a problem with a user who has boards that are restricted to only be visible for users from a certain Group and therefore my addon cant see the boards I am guessing because the addon system user is not part of the group…

Is this intended behavior? Is there anything I can do to fix it?

rwhitbeck · April 26, 2018, 4:33pm

Have you tried adding the ADD scope to see if the board shows up?

https://developer.atlassian.com/cloud/jira/platform/scopes/

daniel · April 27, 2018, 12:33am

Yes.

https://developer.atlassian.com/cloud/jira/platform/security-overview/

Combining static and run-time authorization
The set of actions that an app is capable of performing is the intersection of the static scopes and the permissions of the user assigned to the request. This means that requests can be rejected because the assigned user lacks the required permissions. Therefore, your app should always defensively detect HTTP 403 forbidden responses from the product.

You can either make the request as the user (either through the UI or use the ACT_AS_USER mechanism) and if the current user should have access to it - you’d get the data. You might be able to up your scope to ADMIN and potentially get it. If you go that route (and it works) - consider the impact on your marketplace listing.

niels · April 27, 2018, 9:27am

Do you mean the WRITE scope?
I was under the impression that that was “included” in the ADMIN scope.
I just tried to add it, but unfortunately it didn’t help

niels · April 27, 2018, 9:39am

The add-on just runs a continuous synchronizations between Jira and another PM tool, so I dont have a specific user to “act as”.

I am trying to get the boards via an API call authenticated with a JWT token made from the client key and secret from the add-on installation handshake.

The add-on already has the ADMIN scope.

daniel · April 27, 2018, 8:11pm

One way around this is to get the end users to “opt in” that you can sync the boards they’re seeing. Then you can use the “act as” feature to become those users and get their boards.

Otherwise - you should just call out to the customers that you’re just syncing the boards that your application user can see (they can add the user to groups).

niels · April 30, 2018, 7:06am

My first thought was also to just have them add the system user to the group, but unfortunately that doesn’t seem to be possible.

When ever I try to add the system user to a group I get the following error: System users product access cannot be removed