Execute a method after app install

Hi,

is it possible to execute some methods (rest calls) if my addon is installed?

I want to get some content from Confluence with a rest call and I need the admin rights to see all the data. So my idea is to execute this one time if my app is installed (because then the admin should be logged in).

Or is there may be another way to start a rest call without some user?

Cheers,
Marcel

1 Like

Hi @anon60878045,

If your app declares its authentication type as jwt in its descriptor, then it will receive events for when the app is installed and subsequently when it is enabled. Once the app receives the enabled event, the app can make calls to the Confluence REST API any time it needs to. If the REST resources the app calls requires the admin scope, then the app will obviously need to request this scope. So if your app only needs to perform an operation once, the simplest solution would be to do it upon receiving the enabled event.

Regards,
Dugald

2 Likes

Hi @dmorrow ,

thanks for your fast answer! The event is perfect. Exactly what I need.

But I started a REST-Call in this event to get the content of confluence (/rest/api/content).

To test, I’ve one page in confluence which is restricted to the user ‘Marcel Frank’ only. If I get the data in the browser via the URL https://mydomain.atlassian.net/rest/api/content and I’m logged in as ‘Marcel Frank’ I get the restricted page. But if I start the same REST-Call in the addon-enabled event, I got only the not-restricted pages…

Browser with logged in user:

Response in app on the app-enabled event:

Cheers,
Marcel

Hi @anon60878045,

When your apps makes API requests from an iframe using AP.request, Confluence checks the app’s scopes are sufficient and then uses the permissions of the user who is logged in. However, if an app makes an app call from the app’s server using standard JWT authentication, then Confluence uses the permissions of the system user that is associated with the app (this user is automatically created when the app is first installed). A third way to make an API call is from the app using JWT, but in a way that impersonates a particular user - see https://developer.atlassian.com/cloud/confluence/user-impersonation-for-connect-apps/. For this your app will need the ACT_AS_USER scope.

Regards,
Dugald

Hi @dmorrow,

I think I used the standard JWT authentication. You said then Confluence uses the permissions of the system user that is accociated with the app. Is it possible that this user can see the complete content in Confluence, regardless of the restrictions?

Here is what I do:

    app.post('/first-index', addon.authenticate(), function (req, res) {
            var httpClient = addon.httpClient(req);
            httpClient.get({
                url: '/rest/api/content'
            }, function (err, res, body) {
                console.log(res);
                console.log(body);
            });
        }
    );
  "authentication": {
    "type": "jwt"
  },
  "lifecycle": {
    "installed": "/installed"
  },
  "scopes": [
    "read"
  ],

If I do the third way with ACT_AS_USER, how can I get the admin, because the admin is different on each instance…

Cheers,
Marcel

Hi @dmorrow ,

I tried the ACT_AS_USER variant, but I added the user account id manually. So if there is a possibility to get the account id from the system admin it would work. But I do not find any way to do this. The better solution for me, would be that my addon user should have system admin rights to see restricted content.

Cheers,
Marcel

Hi @anon60878045,

Trying to find a user that has admin privileges and then making a user impersonation request on their behalf sounds like the wrong pattern to me. Maybe you need to be calling an operation that requires admin scope using standard JWT auth?

Regards,
Dugald

Hi @dmorrow,

for me it sounds also wrong. So but if I put “admin” as value into scopes, I’ll also not see the restricted pages.

  "scopes": [
    "admin"
  ],

Is it not possible to see all pages, also the restricted ones?

Cheers,
Marcel

Hi @anon60878045,

Having administrative privileges does not mean access to all content. Administrative privileges relates to the access to product capabilities, not content access.

Regards,
Dugald

1 Like

Hi @dmorrow,

so it’s not possible to have access to all content?

Cheers,
Marcel

That’s right.

Thanks for your time and your help @dmorrow!

1 Like