Limiting Access to Certain Pages

Hello,

I’m working on an Admin page for a Jira plugin that can be accessed through the cog wheel at the top right when the user is a System Admin. However, when a non System Admin has the URL to the page, they are still able to access it. What tools are available to not allow users to access a specific URL in a plugin. I’ve read the docs, but many of the solutions I’ve seen have not worked.

Thanks in advance.

Hi @PleasantWalrus,

Could you confirm you are following this documentation page? You could do a security check inside the condition class. This I think would help you hide the menu while the user isn’t an admin for instance.

Additionally, if you’ve created a WebAction, you could do a security check inside the WebAction’s execute method and return an error String if the user’s security role doesn’t check out.

This way, you’re safe both on the front and back end.

Good luck!

1 Like

Thanks for your reply.

Currently, I have a servlet setup in Java and was planning on doing a check inside the Get method that is called when the page is first loaded. With this being said, I didn’t know what classes to use to check for this.

Would you happen to know any resources to achieve this?

Thanks in advance.

I have to admit I’m not 100% certain I can grasp your whole use case but basically if you’re doing the call in JavaScript yourself to your own REST API, you could fail the call in your REST API and handle the failure in JavaScript.

The steps you are describing are almost exactly what I was looking to implement, however my main issue is that I’m not sure how to check if the current user is an admin or not from my Java servlet.

Here is one way of doing it;

By either injecting or calling through the ComponentAccessor, you will need the JiraAuthenticationContext and the GlobalPermissionManager components.

The first one is used to get the logged in user .getLoggedInUser() and the second one lets you confirm the user’s permissions. hasPermission(GlobalPermissionKey, ApplicationUser).

To check if the current user is an admin, you would use hasPermission(GlobalPermissionKey.ADMINISTER, ApplicationUser).

I hope it helps!

3 Likes

Just tested it and it works perfectly.

I can’t thank you enough!

Hello - Hope you’re doing well.

I was also wondering if you knew a way to check for Project Administrator privileges.

Currently I have one for System Administrator, but could not find a variable to check for the above.

Thanks!