I’m working on addon using web panels in “org.bitbucket.pullrequest.overview.informationPanel”. Addon will be added for whole team. Thing I want to achieve is that content displayed for pull request author and reviewer will be different.
JWT token that i’m getting on my backend url for fetching panel html code does not contain information about current user. Only thing that I can get is team details using data from lifecycle installed endpoint and JWT’s issuer of the claim.
Is there any way to get id of currently logged user in a secure way? I know that I can achieve it by using JavaScript bridge, but in that way view that should be visible only to pull request author could be seen by other users after some url tampering.
Hey Syrious93, can you share your add-on descriptor?
Sure thing!
{
"key": "pull-request-confirmer",
"name": "Pull Request Confirmer",
"description": "Shows confirmation of following coding standards status of a pull request",
"baseUrl": "https://xxxxxx",
"lifecycle": {
"installed": "/installed/",
"uninstalled": "/uninstalled/"
},
"modules": {
"oauthConsumer": {
"clientId": "9uPN2CXdecYSDsH6Vk"
},
"webPanels": [{
"key": "pr-list-confirmation-status-icon",
"location": "org.bitbucket.pullrequest.overview.informationPanel",
"name": {
"value": "Confirmation Status"
},
"url": "/status/"
}]
},
"scopes": ["pullrequest", "email", "webhook", "account"],
"contexts": ["account"]
}
I realized that I can pass current user id by url in secure way, because of QSH claim in JWT 