How to handle page restrictions for an add-on user?

Hi community,

we are working on our first app using atlassian-connect framework and we wonder how to deal with permissions on a customer instance

We chose the READ/WRITE scopes for our add-on.

However, whenever a page/space is restricted (by a user or the space admin), our add-on user is not allowed to read the page.

As far as we can see, there are 2 possible solutions:

  1. send back an error message to the user so that they grant read permissions to our add-on user
  • pro: permission are handled on a case-by-case basis
  • con: it requires users to perform an extra action and to potentially request support from their site admin
  1. use the ACT_AS_USER scope
  • pro: the add-on will work seamlessly for all the content accessible to the user
  • con: our add-on will have much more permissions than needed (for instance, if an admin is using the add-on). It thus increases our exposure in terms of security

Would you have any recommendations based on your own experience?

Thanks in advance for your feedback,

Farid

1 Like

Hi @Farid ,

So long as the ACT_AS_USER scope is only used for the user that is active and there’s no attempt to retain the accessed content for use in some other context, then I’d say this would be the way to go.

Regards,
Dugald

Hi @dmorrow ,

thanks for your answer!
We’ll go with the ACT_AS_USER scope as advised.

Cheers,

Farid

1 Like