we are working on our first app using atlassian-connect framework and we wonder how to deal with permissions on a customer instance
We chose the READ/WRITE scopes for our add-on.
However, whenever a page/space is restricted (by a user or the space admin), our add-on user is not allowed to read the page.
As far as we can see, there are 2 possible solutions:
- send back an error message to the user so that they grant read permissions to our add-on user
- pro: permission are handled on a case-by-case basis
- con: it requires users to perform an extra action and to potentially request support from their site admin
- use the ACT_AS_USER scope
- pro: the add-on will work seamlessly for all the content accessible to the user
- con: our add-on will have much more permissions than needed (for instance, if an admin is using the add-on). It thus increases our exposure in terms of security
Would you have any recommendations based on your own experience?
Thanks in advance for your feedback,