I am working on an Atlassian Connect add-on that should have restricted access for some of its views based on the groups of the user. The access control should mean both having the restricted items hidden in the UI and not being able to make direct calls to the backend API. The add-on is for JIRA but I think this question is not specific to JIRA.
As far as I understand, the only way (without deprecated remote conditions) to have conditions for not showing the views based on groups would be to use ‘addon_property_contains_any_user_group’ condition and then add a property stored in the hosted data storage for setting which groups are allowed to access the views.
I have two questions:
- Is this approach secure enough for using it as the access control to the backend?
- in the Hosted Data Storage doc (https://developer.atlassian.com/static/connect/docs/latest/concepts/hosted-data-storage.html) there is a warning that “Add-on properties can be manipulated by a malicious authenticated user (e.g. by making REST calls through the developer console)”
- In the REST API doc for setting the add-on properties (https://developer.atlassian.com/static/connect/docs/latest/rest-apis/index.html), it is specified though that trying a PUT on the property returns 404 if “Request issued by a user with insufficient credentials, e.g. for an add-on’s data by anyone but the add-on itself”
Ideally I would want to trust in my backend code that anyone coming to the view link with a valid JWT also meets the security condition on belonging to the required group. But if “a malicious authenticated user” can change the add-on properties, does that mean that I would also need to store the group permissions in my own backend and double check in the backend using the REST API that the user really belongs to the required group? I would still need to also use the add-on property for controlling the visibility of the UI elements, so then the check would need to be done with twice.
In the REST API doc it says that only the add-on user can set the properties, which as far as I understand is only used when doing the request from the back-end through the REST API (and not when using AP.request() which would use the user in browser)? But what does it mean then that “a malicious authenticated user” can change them too?
- What would be a recommended way of setting default values to the add-on properties?
In my current use case it would actually be enough to set the required groups statically in the atlassian-connect.json. In any case I would want to set default values to the add-on properties.
Is there a way to specify default values for the hosted data storage properties in eg. atlassian-connect.json? If not what would be a good way of doing this? I am currently doing this by REST API in the ‘add-on enabled’ lifecycle hook, does that sound reasonable?