Comment REST API call not working in event handler

I have a comment event handler that gets the full comment from Jira using the REST API.

If I use asApp then I get the following error:

INFO    00:19:31.969  52ed13a131b2d9ca  {
  errorMessages: [
    'test-app, you do not have the permission to comment on this issue.'
  ],
  errors: {}

Which is strange because I’m just trying to do a get, not create a comment.

I also tried using asUser. If I do then I get the error

ERROR   23:22:50.397  f90a41a230bb8323  [NEEDS_AUTHENTICATION_ERR: Authentication required] {
  serviceKey: 'atlassian-token-service-key'
}

The code I’m using is:

export async function handleWebTrigger(event, context) {
	const requestUrl = `/rest/api/3/issue/${event.issue.id}/comment/${event.comment.id}`;
    const res = await api.asApp().requestJira(requestUrl);
    const data = await res.json();
	console.log(data)
}

I think the asApp version has occasionally worked with asApp but most of the time doesn’t

EDIT: I think the asApp error only occurs when the comment has security on it. Is there a scope that can do this? I just have: read:jira-work which seems to be what you need in the docs

Thanks
Paul

Hi @paul, it’s possible that you’re hitting the “Update comment” endpoint instead, as the paths are the same. Can you try specifying the method as ‘GET’ in the fetch options? i.e.

const res = await api.asApp().requestJira(requestUrl, { method: 'GET' });

@PeterYu I have just added that and the same problem persists. It works for comments with no security but doesn’t for those with security

@paul It appears that asApp cannot access restricted comments in order to prevent privilege escalation. For the moment, this feature is intentional for security purposes.

2 Likes

Hi @PeterYu

Ok, thanks for finding that out. How does looking at restricted comments allow for privilege escalation? As you can see from the example above, we already have the comment text as part of the comment add/edit event trigger (I was getting the other fields not in the event) so I have the comment text anyway.

The app I’m developing needs to look at secure comments. Do you know when this functionality is going to be available?

Regards
Paul

@paul I was mistaken in my last post, apologies. It turns out that this is caused by an underlying issue with app permissions that the team is currently working to address. It is being tracked in the ticket here https://ecosystem.atlassian.net/browse/FRGE-212.

In the meantime, you may try the workaround documented in that ticket.

Thanks for finding that @PeterYu, I’ll keep a watch on the issue. I’ll use the workaround but I don’t suppose you know roughly when this will be released?

Regards
Paul

@paul Unfortunately I don’t have much of a timeline for you, but hopefully it is addressed soon.