Connect apps accessing the Content Property Javascript API will now require permission scopes

Hi developers,

We will be fixing a security bug in the implementation of the Connect Javascript API that allowed Connect app modules to access the Confluence Content Property API without declaring the appropriate scopes. After this fix is rolled out on 27 Aug 2023, the setContentProperty and getContentProperty APIs will require WRITE and READ scope respectively.

How do I know if my app is affected?

If your app calls setContentProperty or getContentProperty via the Connect Javascript API, and doesn’t declare WRITE/READ scope in the descriptor, then your app is affected. Your app is not affected if you the scopes are declared, or you are calling the Confluence Content Property API instead.

What do I need to do?

If your app is affected based on the criteria above, you will need to add the appropriate scope to your app descriptor depending on which API you would like to call.



This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.