Hi,
is it possible to execute some methods (rest calls) if my addon is installed?
I want to get some content from Confluence with a rest call and I need the admin rights to see all the data. So my idea is to execute this one time if my app is installed (because then the admin should be logged in).
Or is there may be another way to start a rest call without some user?
Cheers,
Marcel
Hi @anon60878045,
If your app declares its authentication type as jwt in its descriptor, then it will receive events for when the app is installed and subsequently when it is enabled. Once the app receives the enabled event, the app can make calls to the Confluence REST API any time it needs to. If the REST resources the app calls requires the admin scope, then the app will obviously need to request this scope. So if your app only needs to perform an operation once, the simplest solution would be to do it upon receiving the enabled event.
Regards,
Dugald
Hi @dmorrow ,
thanks for your fast answer! The event is perfect. Exactly what I need.
But I started a REST-Call in this event to get the content of confluence (/rest/api/content).
To test, Iāve one page in confluence which is restricted to the user āMarcel Frankā only. If I get the data in the browser via the URL https://mydomain.atlassian.net/rest/api/content and Iām logged in as āMarcel Frankā I get the restricted page. But if I start the same REST-Call in the addon-enabled event, I got only the not-restricted pagesā¦
Browser with logged in user:
Response in app on the app-enabled event:
Cheers,
Marcel
Hi @anon60878045,
When your apps makes API requests from an iframe using AP.request, Confluence checks the appās scopes are sufficient and then uses the permissions of the user who is logged in. However, if an app makes an app call from the appās server using standard JWT authentication, then Confluence uses the permissions of the system user that is associated with the app (this user is automatically created when the app is first installed). A third way to make an API call is from the app using JWT, but in a way that impersonates a particular user - see User impersonation for Connect apps. For this your app will need the ACT_AS_USER scope.
Regards,
Dugald
Hi @dmorrow,
I think I used the standard JWT authentication. You said then Confluence uses the permissions of the system user that is accociated with the app. Is it possible that this user can see the complete content in Confluence, regardless of the restrictions?
Here is what I do:
app.post('/first-index', addon.authenticate(), function (req, res) {
var httpClient = addon.httpClient(req);
httpClient.get({
url: '/rest/api/content'
}, function (err, res, body) {
console.log(res);
console.log(body);
});
}
);
"authentication": {
"type": "jwt"
},
"lifecycle": {
"installed": "/installed"
},
"scopes": [
"read"
],
If I do the third way with ACT_AS_USER, how can I get the admin, because the admin is different on each instanceā¦
Cheers,
Marcel
Hi @dmorrow ,
I tried the ACT_AS_USER variant, but I added the user account id manually. So if there is a possibility to get the account id from the system admin it would work. But I do not find any way to do this. The better solution for me, would be that my addon user should have system admin rights to see restricted content.
Cheers,
Marcel
Hi @anon60878045,
Trying to find a user that has admin privileges and then making a user impersonation request on their behalf sounds like the wrong pattern to me. Maybe you need to be calling an operation that requires admin scope using standard JWT auth?
Regards,
Dugald
Hi @dmorrow,
for me it sounds also wrong. So but if I put āadminā as value into scopes, Iāll also not see the restricted pages.
"scopes": [
"admin"
],
Is it not possible to see all pages, also the restricted ones?
Cheers,
Marcel
Hi @anon60878045,
Having administrative privileges does not mean access to all content. Administrative privileges relates to the access to product capabilities, not content access.
Regards,
Dugald
Thatās right.