Only Connect add-on users with admin scope permission are allowed to override the editable flag

bruce · February 23, 2021, 1:49am

Hello, I am attempting to get/update an issue. I am attempting to use OAUTH 2.0 Impersonations. I can do all the necessary get and updates, except for when I am attempting to add update/get a field that is not visible. I am attempting to run the following rest command.

/rest/api/3/issue/${issueIdOrKey}?overrideEditableFlag=true

I’m getting the following error: Only Connect add-on users with admin scope permission are allowed to override the editable flag.

I have followed the following steps that again work when doing a normal put/get request. I only get the error when I add the overrideEditableFlag setting to allow me to edit non-visible fields.

Any help on why I’m getting the error would be appreciated.

Built the Token

var tokenData = {

iss: "urn:atlassian:connect:clientid:" + <clientid>,
sub: "urn:atlassian:connect:useraccountid:" + userId,
tnt: <baseUrl>,
qsh: jwt.createQueryStringHash(jwt.fromMethodAndUrl('PUT', `/rest/api/3/issue/${issueIdOrKey}?overrideEditableFlag=true`)),
aud: "https://oauth-2-authorization-server.services.atlassian.com",
iat: now.unix(),
exp: now.add(10, 'seconds').unix()
};

const secret = <secret>;

const token = jwt.encode(tokenData, secret);

Use token above to get access token

Var parameters = {
  grant_type: "urn:ietf:params:oauth:grant-type:jwt-bearer",
  assertion: token,
  scope: "READ WRITE ACT_AS_USER ADMIN" 
};

var AUTHORIZATION_SERVER_URL = "https://oauth-2-authorization-server.services.atlassian.com"
console.log("\nRequesting access token".bold);

request.post({
  url: AUTHORIZATION_SERVER_URL + '/oauth2/token',
  form: parameters,
  json: true,
  headers: {
    "accept": "application/json"
}
}, 

....

Make a call with the returned access token

fullResourcePath = `<full path>/rest/api/3/issue/${issueIdOrKey}?overrideEditableFlag=true`

const bodyData = `{
  "fields": {
  "summary": "Having issue using update api for connect v2",
  "key": "NX-200"
 }
}`

access_t = <token generated from above>

fetch(fullResourcePath, {
method: 'PUT',
headers: {
    "Authorization": "Bearer " + access_t, 
    'Accept': 'application/json',
    'Content-Type': 'application/json'
}, body: bodyData
})

...

dmorrow · February 24, 2021, 3:26am

Hi @bruce,

This is documented in the API:

Connect app users with admin permissions (from user permissions and app scopes) can override the screen security configuration using overrideScreenSecurity and overrideEditableFlag.

You would need to ensure your app’s descriptor includes the ADMIN scope and also make the API call with a regular JWT rather than a JWT impersonating a user.

Regards,
Dugald

bruce · February 24, 2021, 1:27am

Thanks, @dmorrow.

This worked! Awesome! I was able to run commands using JWT only for the following parameters overrideEditableFlag=true overrideScreenSecurity=true without getting an error.

My goal with this was to override several backend fields like the “key” and “create date” for some older data I am pulling from another application. I’m trying to make sure the information matches what I am extracting from other systems.

Error:

{“errorMessages”:[],“errors”:{“created”:“Field ‘created’ cannot be set. It is not on the appropriate screen, or unknown.”,“key”:“Field ‘key’ cannot be set. It is
not on the appropriate screen, or unknown.”}}

I using the following logic.

const bodyData = `{
  "fields": {
    "summary": "Having issue using update api for connect v4",
    "created": "2020-12-21T02:23:38.319+0000",
    "key": "NX-1"
  }
}`

fetch(fullResourcePath, {
method: 'PUT',
headers: {
    'Authorization': `JWT ${token}`,
    'Accept': 'application/json',
    'Content-Type': 'application/json'
}, body: bodyData })