In the context of an app backend I’d like to confirm that a given Jira user is an administrator (has SYSTEM_ADMIN permission) with a minimum of required app scopes .
GET /rest/api/2/mypermissions
This would allow to list all permissions the current user have but requires “ACT_AS_USER” scope to query for an arbitrary user (I’m not interested of permissions of the app user).
Problem: Requires ACT_AS_USER that I don’t need for any other purpose
GET /rest/api/2/user
I’m able to get a list of groups that the user belongs to but translating it to a list of permissions is not possible AFAIK, eg. GET /rest/api/2/group requires ADMIN scope, is deprecated and doesn’t return permissions.
Problem: Determines Jira groups but not permissions.
@david.pinn, do you suggest that it is possible to cal /mypermissions from the server-side of the connect app, which does not have ACT_AS_USER scope, and get permissions for the selected user?
Admin user (and Connect apps with “ADMIN” scope) should be able to check users’ permission.
because I would like to not increase scope of my app by “ADMIN”. I need equivalent of httpClient.asUserByAccountId(req.context.userAccountId).get("/rest/api/3/mypermissions?permissions=ADMINISTER", ... for an app with just “READ” in scope. This is used in a regular REST endpoint of my app.
My whole effort here (including creating the ticket with Atlassian) is to make it possible as currently it requires ACT_AS_USER which we don’t want to introduce (because we don’t want to act as user).
Jira UI allows administrators to check permission of other users, hence the idea of enabling the API check to ADMIN scope.
That issue is only about making the API in question work with custom app permissions. We won’t be changing the scopes required to call it or anything else of that sort.
