Missing permissions when using .asApp()

JarodAmos · May 12, 2021, 1:14am

Hi, I’m trying to develop my first Forge app, so experience is limited and I may be missing a key element, but it seems that when I attempt a REST API call using the .asApp() for the ‘user’ context I am missing some key permissions for the call to be successful.

Specifically, I’m making the call to create a new issue:

var response = await api.asApp().requestJira('/rest/api/3/issue', {
    method: 'POST',
    headers: {
        'Accept': 'application/json',
        'Content-Type': 'application/json'
    },
    body: requestBody
});

I can pass the exact same JSON that’s in requestBody via a cURL call (using my username and API token for auth) and it is successful, but when passed under the app context, the API responds with errors about how summary and description cannot be set as they aren’t on the appropriate screen. Most all the posts I’ve seen with that type error have boiled down to permissions or the fields not being on the create screen. Since the fields are on the screen and the call with the same data is successful under a user context, that seems to point to permissions.

I guess the last thing that is probably worth mentioning is the reason I’m using .asApp() rather than .asUser() … it’s because this code executes as part of a webtrigger that receives a POST whenever a certain event occurs in an external system. So there is no user context under which it can run in this case … if only!

Thanks in advance for any guidance!

mpaisley · May 18, 2021, 6:49am

Hey Jarod,
I’m just wondering what permission level you’re requesting in your app manifest?

Cheers,
Mel

JarodAmos · May 18, 2021, 3:03pm

Hi Mel! Thanks for taking a look. I should have included that in the original post. Anyway, the following scopes are requested via the app manifest:

permissions:
  scopes:
    - write:jira-work
    - read:jira-work

mpaisley · May 19, 2021, 5:40am

Hey Jarod,
I was able to create the issue on my site, here’s my code (i hard coded the project and issue types … but you get the idea).

The permission used when you send through a request on your behalf versus on the apps behalf are different, so that in itself would indicate a possible permission issue.

I’m wondering what your project permissions are set to for ‘create issue’ for the project you’re creating the issue in? (My Create Issues permissions are granted for: Project Role (atlassian-addons-project-access), Application access (Any logged in user))

import api from "@forge/api";

export const run = async () => {
    var bodyData = `{
  "update": {},
  "fields": {
        "summary": "Hello World",
        "issuetype": {
            "id": "10001"
        },
        "project": {
            "key": "CATS"
        },
        "description": {
            "type": "doc",
            "version": 1,
            "content": [
                {
                "type": "paragraph",
                "content": [
                    {
                    "text": "Hello World.",
                    "type": "text"
                    }
                ]
                }
            ]
        }
    }
}`;

    const response = await api.asApp().requestJira('/rest/api/3/issue', {
        method: 'POST',
        headers: {
            'Accept': 'application/json',
            'Content-Type': 'application/json'
        },
        body: bodyData
    });

    console.log(`Response: ${response.status} ${response.statusText}`);
    console.log(await response.json());
};

sopel · May 19, 2021, 9:24am

Hi Jarod,

Welcome to the Atlassian Developer Community!

The issue at hand might well be a manifestation of this seemingly complex Forge issue:

[FRGE-212] - Ecosystem Jira

The TL;DR on the root cause is as follows, but I strongly recommend to read the detailed description for context and two possible workarounds:

Due to an underlying limitation, additional permissions for the app system user are not configured when the app is installed.

If you app attempts to read, write, or manage content using .asApp() authentication in a container (project or space) that is not accessible to default user group, that API call will fail.

JarodAmos · May 19, 2021, 8:01pm

Thank you both so much! It was indeed a permissions issue and, thankfully, one that could be remedied by assigning some project permissions.

@mpaisley I did not have any Application Access permissions defined for Create Issue. I tried adding it for Jira Core (since it sounded more restrictive than Any logged in user ???) and that did the trick!

@sopel If I understand the linked issue correctly, it does sound like this is the issue/limitation I’ve encountered. I was prepared to use the suggested workaround and assign the permissions programmatically but was glad that if could be handled (for now at least) via the Project Permissions UI that Mel mentioned.

Again, I greatly appreciate the guidance!