Hello everyone,
I’m developing an Atlassian Forge app for Jira Cloud that allows users to add or remove other users from groups they belong to. For this, I’m using the following Jira Cloud REST API endpoints:
- POST
/rest/api/3/group/user(to add users to a group) - DELETE
/rest/api/3/group/user(to remove users from a group)
Initially, I tried making these calls with api.asUser(), but as expected, I hit a 403 Forbidden error ({"key":"forbidden","context":{"message":"Not admin"}}) if the interacting user didn’t have site admin permissions.
To resolve this, I’ve updated my code to use api.asApp() within the functions responsible for adding and removing users from groups, expecting the app to operate with its own elevated permissions.
Current Configuration:
1. Backend Code:
I’ve confirmed that the calls to the group management endpoints are indeed using api.asApp():
// Function to add user
resolver.define('addUserToGroup', async (req) => {
// ... (previous code)
const response = await api.asApp().requestJira(route`/rest/api/3/group/user?groupId=${groupId}`, {
method: 'POST',
headers: { 'Accept': 'application/json', 'Content-Type': 'application/json' },
body: JSON.stringify({ "accountId": accountId })
});
// ... (response/error handling)
});
// Function to remove user
resolver.define('removeUserFromGroup', async (req) => {
// ... (previous code)
const response = await api.asApp().requestJira(route`/rest/api/3/group/user?groupId=${groupId}&accountId=${accountId}`, {
method: 'DELETE',
headers: { 'Accept': 'application/json' }
});
// ... (response/error handling)
});```
Other functions in my backend (like isUserInGroup, searchGroups, getGroupMembers, etc.) continue to use api.asUser() as they are designed to fetch information the end-user has permission to view.
2. manifest.yml:
My manifest.yml file includes the manage:jira-configuration scope, which, according to the documentation, is necessary for these group management operations:
permissions:
scopes:
- manage:jira-configuration
- read:jira-user
- read:jira-work
- read:application-role:jira
- read:user:jira
- read:avatar:jira
# I’ve removed any duplicate or invalid scopes like ‘write:group:jira’```
3. Deployment and Installation:
After modifying the manifest.yml and the code, I’ve performed the following steps:
forge deployforge install --upgrade(and a site administrator on the instance approved the new permissions, includingmanage:jira-configuration).
The Problem:
Despite using api.asApp() and having the manage:jira-configuration scope declared and seemingly granted, I’m still encountering the same 403 Forbidden error with the message {"key":"forbidden","context":{"message":"Not admin"}} when attempting to add or remove users from a group.
Example Log Output for removeUserFromGroup:
INFO 08:24:21.604 16ffbec3-680a-4ce0-8e67-89263b7a70a6 removeUserFromGroup called with: {
groupId: ‘c8aeeb55-dab2-48fc-975d-bf22e64a40ef’,
accountId: ‘60bf3808b1f93b0069603b4b’
}
INFO 08:24:21.605 16ffbec3-680a-4ce0-8e67-89263b7a70a6 Sending request to remove user 60bf3808b1f93b0069603b4b from group c8aeeb55-dab2-48fc-975d-bf22e64a40ef
ERROR 08:24:22.096 16ffbec3-680a-4ce0-8e67-89263b7a70a6 Error removing user from group: 403 Forbidden
ERROR 08:24:22.102 16ffbec3-680a-4ce0-8e67-89263b7a70a6 Error in removeUserFromGroup: Error: Failed to remove user from group: Status: 403 - An error occurred: com.atlassian.idp.client.exceptions.AuthorizationException: {“key”:“forbidden”,“context”:{“message”:“Not admin”}}
at C:\Users\romerajo\AppData\Local\Temp\forge-dist-27076-Eg1zR5k26lkQ\bundled\index.cjs:31915:13
// … (stack trace)
ERROR 08:24:22.103 16ffbec3-680a-4ce0-8e67-89263b7a70a6 Error: Failed to remove user from group: Status: 403 - An error occurred: com.atlassian.idp.client.exceptions.AuthorizationException: {“key”:“forbidden”,“context”:{“message”:“Not admin”}}
// … (stack trace)
Question:
Is there anything I might be missing, or any additional steps I need to take for my Forge app to gain the necessary permissions via api.asApp() to manage users in groups? Could it be that manage:jira-configuration is not sufficient for these specific operations, or is there another instance-level security setting that might be blocking this even for asApp() calls?
Any help or insights would be greatly appreciated.
Thanks,
Jordi