I am testing https://myinstance.atlassian.net/rest/api/3/mypermissions?permissions=USER_PICKER
- When I am logged as Jira user I get:
{"permissions":{"USER_PICKER":{"id":"27","key":"USER_PICKER","name":"Browse users and groups","type":"GLOBAL","description":"View and select users or groups from the user picker, and share issues. Users with this permission can see the names of all users and groups on your site.","havePermission":true}}}
- When I am logged as a Jira Service Desk customer:
<status>
<status-code>403</status-code>
<message>
ASAP token from issuer 'micros/edge-authenticator' failed authorization
</message>
</status>
- When I am NOT logged:
{"permissions":{"USER_PICKER":{"id":"27","key":"USER_PICKER","name":"Browse users and groups","type":"GLOBAL","description":"View and select users or groups from the user picker, and share issues. Users with this permission can see the names of all users and groups on your site.","havePermission":true}}}
Is it a bug in 2. ? or is it a security problem in 3. ?
PS. Documentation states:
permissions
string
A list of permission keys. This parameter accepts a comma-separated list. Omitting this parameter is deprecated . To get the list of available permissions, use Get all permissions. Note that deprecated keys cannot be used. Deprecated keys are not returned by Get all permissions but are returned by this operation if permissions is omitted.
It doesn’t state that the parameter is required, but it is:
{"errorMessages":["The 'permissions' query parameter is required."],"errors":{}}