Change in permissions for GET custom field option API

What is changing?

The GET custom field option REST API will now enforce a permission check to only return the custom field option as follows:

  • if the user has the Administer Jira global permission.
  • if the user has the Browse projects project permission for at least one project the custom field is used in, and the field is visible in at least one layout the user has permission to view.

If the user does not have permission to view the custom field, or the option does not exist, then a 404 will be returned.

Why this change?

Previously this API would allow anonymous users to see the value of any custom field option provided they have a valid option ID. This presents a security risk as intruders can use brute force techniques to get custom field options that they should not be allowed to see.

What do I need to do?

If you are using this API you will need to ensure you are authenticated as a user with the appropriate permission to view the custom field option.

When will this change take effect?

The change will be rolled out no sooner than 19th August, 2020.

1 Like

@aagrawal2 Is this intentional to require ADMIN permission from apps to access CF options API? I have a need to display possible CF options to a user, and I’m not able to do that easily, because the context is undefined (it doesn’t matter in that UX).

I need to fallback to /rest/api/3/issue/createmeta?expand=projects.issuetypes.fields, but it does not cover the corner case of “CF not present on any Create issue screen”. /rest/api/3/issue/{issueIdOrKey}/editmeta is limited to particular issue context, and it’s not useful in this case (issue context is unknown). /createmeta also seems to be quite heavyweight.

On the other hand as a user I can access this information directly thanks to:

  • if the user has the Browse projects project permission for at least one project the custom field is used in, and the field is visible in at least one layout the user has permission to view.

Unfortunately when I try with AP.request on /rest/api/3/field/customfield_10071/context/10210/option I get a n 403 error.

What would be your recommendation in this case? I would prefer to not add “ADMIN” to scope of my app.

Hi @Grzegorz.Tanczyk your app should only require the READ scope in order to access this API. Having this scope will assign the atlassian-addons-project-access project role to your app which has Browse projects permission by default.

Please be aware that project administrators are still able to revoke this permission for a given project.

Regards,
Kyle

@Kyle Thanks for responding. I confirm - I have READ scope on my app, and the atlassian-addons-project-access role on my app. I’m not able to request this REST endpoint: /rest/api/3/field/customfield_10071/context/10210/option from my app iframe using AP.request. The same URL works fine when I open it directly as the same user.

Hi @Grzegorz.Tanczyk this change refers to the GET custom field option API /rest/api/3/customFieldOption/{id}.

The GET options for field (context) API is unchanged as far as I’m aware. So yes, in order to use the API you are referring to you’ll need the ADMIN scope.

Regards,
Kyle

@Kyle would it be possible to remove this limitation? If it is there, because of security reasons, I suggest to have a look at the JQL autocompletion endpoint: https://developer.atlassian.com/cloud/jira/platform/rest/v3/api-group-jql/#api-rest-api-3-jql-autocompletedata-suggestions-get - it serves the same information, and I imagine similar endpoint with fully comprehensive information.

Sorry for the delayed response @Grzegorz.Tanczyk I missed your message.
There is announcement discussing the addition of these new context API’s here. This would be the preferred channel to provide any feedback on the limitations you’re currently experiencing.