How to an app can access issues that are secured

bartlomiej · May 13, 2021, 8:22am

Hi there,

We’ve recently had a customer contact us about an issue with our app - which turned out to be a problem with permissions.

We are indexing issues in the backend, and for that we invoke a JQL request to the search endpoint. That gives us a list of issue ids which we persist, and make another request on the frontend to fetch the actual content and take care of permissions.

The issue comes up when an issue is secured, and in this particular case, the issue requires the user to have an admin permission for the project.

In the past it was possible to edit the security scheme for a project and add an “add-on” user to the scheme, but it looks to me that this is no longer possible.

Is there a way to configure the instance to allow an app to access those issues?

Kind regards,
Bartlomiej Lewandowski

mpaisley · May 25, 2021, 4:02am

Hey Bartlomiej,
Thanks for your question - are you using Connect or Forge to build your app?
Cheers,
Mel

ccurti · May 25, 2021, 5:21am

Hi @bartlomiej,

I think you might be referring to this bug report: [ACJIRA-2406] - Ecosystem Jira.

I don’t have a workaround for this but, if one will be identified, it will be posted on the ticket directly.

It would be good to know here/on the bug report, how many apps are affected and noticed that so far.

Thanks,
Caterina

denizoguz · May 25, 2021, 7:26am

Recently I have also experienced a similar issue. I have fixed it by giving required permission to “atlassian-addons-admins” user group or “atlassian-addons-project-access”.

bartlomiej · May 25, 2021, 9:32am

Connect app

bartlomiej · May 25, 2021, 9:33am

Correct, this issue was probably created after describing the issue in detail in a support ticket

ccurti · May 26, 2021, 1:53am

Thanks for jumping in @denizoguz. Are you sure it is actually working?
I’m trying to understand what I’m doing wrong.

I’ve just tried to do the same by adding these “users” to the Project Settings → Access UI in a team-managed project but, even after adding them, I still cannot retrieve the restricted issues when using the REST APIs in a Connect app.

Here is a screenshot of the Project access page:

denizoguz · May 26, 2021, 7:25am

Hi,
@ccurti Our situation was a little different. It was a Forge app and we were using app “api.asApp().requestJira” method for accessing Jira REST API. I had two problems, first the app didn’t able to retrieve details of an issue, protected with “issue security schema” and a second problem was it didn’t able to retrieve list of “user groups”. Both of them were solved by adjusting permissions of “atlassian-addons-admins” and “atlassian-addons-project-access”. It may not be the same problem but for our similar case adjusting permissions solved both issues.

sash011 · December 19, 2021, 6:35pm

Hi
Has anyone figured out how to give an access to connect app user?
Imagine the project is restricted to a certain user group and we want to allow a particular (connect) app to have access to it as well. How to do that?
Alex

DavidPezet1 · October 25, 2022, 5:30pm

Thanks! This seems to have worked for a Forge app in the production environment, but I’m having trouble while it is in the development environment. I even tried adding the app user directly to the issue type security scheme. Two users show for the app in the single user selection. I assume one is the development install and one is the production install. I added both, but this did not help. Have you experienced anything similar while working with it in the development environment?