export async function handleWebTrigger(event, context) {
const requestUrl = `/rest/api/3/issue/${event.issue.id}/comment/${event.comment.id}`;
const res = await api.asApp().requestJira(requestUrl);
const data = await res.json();
console.log(data)
}
I think the asApp version has occasionally worked with asApp but most of the time doesn’t
EDIT: I think the asApp error only occurs when the comment has security on it. Is there a scope that can do this? I just have: read:jira-work which seems to be what you need in the docs
Hi @paul, it’s possible that you’re hitting the “Update comment” endpoint instead, as the paths are the same. Can you try specifying the method as ‘GET’ in the fetch options? i.e.
const res = await api.asApp().requestJira(requestUrl, { method: 'GET' });
@paul It appears that asApp cannot access restricted comments in order to prevent privilege escalation. For the moment, this feature is intentional for security purposes.
Ok, thanks for finding that out. How does looking at restricted comments allow for privilege escalation? As you can see from the example above, we already have the comment text as part of the comment add/edit event trigger (I was getting the other fields not in the event) so I have the comment text anyway.
The app I’m developing needs to look at secure comments. Do you know when this functionality is going to be available?
@paul I was mistaken in my last post, apologies. It turns out that this is caused by an underlying issue with app permissions that the team is currently working to address. It is being tracked in the ticket here [FRGE-212] - Ecosystem Jira.
In the meantime, you may try the workaround documented in that ticket.
Thanks for finding that @PeterYu, I’ll keep a watch on the issue. I’ll use the workaround but I don’t suppose you know roughly when this will be released?
@PeterYu , I see that [FRGE-212] - Ecosystem Jira has now been done but since the permissions have now changed I’m not sure what I need to add to the manifest. I assume to get able to load a comment with security on it I’d have needed “read:jira-work”. I checked the docs and it says that is deprecated but doesn’t say what is required to replace it. What permissions do I need to access a comment with security on it?
EDIT: Just tried read:jira-work and I still get the permissions error.
EDIT: The REST API docs say it needs: read:comment:jira, read:comment.property:jira, read:group:jira, read:project:jira, read:project-role:jira, read:user:jira ,read:avatar:jira but I already have those and that doesn’t work
I reached out to the relevant teams for comments and we were able to replicate the issue you described when getting a restricted comment. In order to isolate the issue from FRGE-212, I created [FRGE-709] - Ecosystem Jira on your behalf.
Kindly watch the ticket to get updates on the progress and feel free to leave additional comments as you see fit.