Getting error 403 when calling api update property with axios

HungTran · October 9, 2023, 9:08am

I make a jira update property api call using axios. I encountered a situation where it returned a 403 error, but when I called that api using HttpClient, it returned 200.
Using axios:

	const configRequest = {
		url,
		method: 'PUT',
		headers: {
			'Authorization': `JWT ${token}`,
			'X-Atlassian-Token': 'nocheck',
			'Accept': 'application/json',
			'Content-Type': 'application/json',
		},
		data: data
	}
	return new Promise(async (resolve, reject) => {
			axios(configRequest).then(() => {
			resolve();
		}).catch(error => {
			reject(error);
		})
	})

Using httpClient:

	var httpClient = addon.httpClient(req);
	return new Promise((resolve, reject) => {
		httpClient.put({
	    url: propertyUrl,
	    headers: {
	      'X-Atlassian-Token': 'nocheck'
	    },
	    json: data
		}, function (err, response, body) {
			if (err) reject(err);
			resolve();
	  });
	});

Is there any way to call the api using axios without getting the 403 error again? This error happened only when missing edit issue permission

ianRagudo · October 10, 2023, 4:42am

Hi @HungTran,

In order to better understand your use case, I have the following questions:

What is the API you are calling?
Is the token consistent between the calls using axios and httpClient? An HTTP 403 is expected if the auth used does not have the necessary permissions.

As mentioned in number 2, a 403 is expected if permission is inadequate. Once the permission is supplied, do you still encounter a 403 using axios?

Cheers,
Ian

HungTran · October 10, 2023, 6:09am

Thanks @ianRagudo for the replay
About your question:

I’m calling the api to update issue property PUT '/rest/api/2/issue/' + issueKeyOrId + '/properties/ + propertyName
The 403 error only happened with axios when calling this api and missing edit issue permission. It works fine with both axios and httpClient when having enough permission
I checked and found that httpClient can work in case without the edit issue permission, so I don’t know how can I setting for axios to do it also.

ianRagudo · October 10, 2023, 6:20am

Thanks for the added context, @HungTran.

In this scenario, the axios behavior is the correct one i.e., if the Edit issues project permission is missing, Set issue property should return HTTP 403.

If you can consistently replicate httpClient’s behavior wherein it is successful even for users without Edit issues permission, kindly raise a bug report in this portal.

Cheers,
Ian

HungTran · October 17, 2023, 7:47am

@ianRagudo
Sorry to bother you, but is there any way to check the project’s permission to see if the atlassian-addons-project-access permission is missing? or when the edit issue permission is empty like image

ianRagudo · October 18, 2023, 12:33am

Hi @HungTran,

I am not aware of an API that directly provide this information, however, if the goal is to know if the current user has EDIT_ISSUE permission for a specific project then you can try either of these APIs:

Get permitted projects using the request body

{
  "permissions": [
    "EDIT_ISSUES"
  ]
}

Get my permissions - pass the permission you want to check (EDIT_ISSUES) in the query parameter. You can also specify the project you want to check by passing projectKey.

GET /rest/api/3/mypermissions?projectKey={yourProectKey}&permissions=EDIT_ISSUES

Hope this helps.
Ian