Connect addon security

Hi,

Using webhooks, JIRA provides information related to project, issue etc… to the connect app hosted somewhere else. If a particular user is not authorized to access a piece of information, say information related to ‘Project A’, Using the connect app, he/she can still access this information. How JIRA prevents this? Or is it the app responsibility not to show the information in this case?

Please advise.

Regards,
Mugilan

Webhooks are keyed to an app user so the app should only be receiving data it’s allowed to consume. Now if you store the data on your side and then render it back to end users - you’ll need to enforce who can see what (using user impersonation to get the issue would work - or just sending the issue id’s back to the browser and having the AP.request fetch the actual issue data).

4 Likes

Thanks a lot Daniel for your reply.

I’m just paraphrasing my understanding below. Please correct me if I’m wrong.

App user: A user who installs the connect app in an instance
End users: Users who uses the connect app

Webhooks send the data with respect to the ‘App user’. If ‘connect app’ stores the data at server side, it is the responsibility of ‘connect app’ to enforce ‘who can see what’.

Even if we use user impersonation, we can only impersonate ‘App user’ and not end user. If we’ve to show data relevant to end user, the only way to do that is through AP.request?

Is my understanding correct?

Reference: https://developer.atlassian.com/cloud/jira/platform/user-impersonation-for-connect-apps/

Regards,
Mugilan