Permission check when handling webhook

jack · May 9, 2019, 2:30pm

Is there a way to check user permission when handling /issue-updated webhook (server-side)?

It sounds like an obvious thing to do, but I’m not able to find an answer. What I looked at is:

Jira expressions (there is no way to use it in a webhook definition in atlassian-connect.json unfortunately)
Jira REST API (it only allows to check permission for the user making a request, but my app does not have “ACT_AS_USER” scope).

So, is there a way to check user permission acting as an app (server-side) with ADMIN permission?

Thanks,
Jack

jack · May 10, 2019, 5:13pm

@kkercz, maybe you can share your knowledge here?

Thanks,
Jack

kkercz · May 10, 2019, 8:15pm

Heh, I actually started writing an answer some time ago but got distracted and never got back to it.

So unfortunately, the only way is the REST API, and all permission checking endpoints assume you want to check permissions of the currently logged-in user. I’m afraid you would need to add the ACT_AS_USER scope to your app.

If that’s not an option, I would suggest creating a feature request in ACJIRA for an endpoint that would allow you to specify a user to check permissions for.

Hope this helps.

jack · May 12, 2019, 1:36pm

@kkercz Thank you for the answer.

I will raise an issue as it seems to be a hole not letting ADMIN check the permission of a user.

But, is there a request already to support conditions and expressions in webhooks? That could help us too.
On the side note, can I use expressions as part of conditions as part of context parameters ?
I tried the following (as part of a web panel URL), but it always returns “false”, even if the project is a classic one (not next-gen):

&classicProject={condition.jira_expression(expression='project.style==classic')}

I tried to put quotes in various places but it did not help.
project.style is not expanded as a context-parameter too.

Overall, I want to pass information if the project is next-gen or not.

Thanks,
Jack

kkercz · May 13, 2019, 6:27am

it seems to be a hole not letting ADMIN check the permission of a user.

Yes, I agree. I can’t see any reason why admins shouldn’t be allowed to check permissions of other users, especially that it’s already available in the UI.

can I use expressions as part of conditions as part of context parameters

It should be possible. When it comes to syntax, it should be the following in this case (the expression itself is not in any quotes, like other arguments in other inline conditions):

&classicProject={condition.jira_expression(expression=project.style=='classic')}

Let me know if that doesn’t work, I’ll investigate further.

jack · May 13, 2019, 11:08am

This version works well. Thank you.

Raised the following requests:

check the permission of a user through REST API https://ecosystem.atlassian.net/browse/ACJIRA-1812
support context parameters in webhooks: https://ecosystem.atlassian.net/browse/ACJIRA-1813
support conditions in webhooks: https://ecosystem.atlassian.net/browse/ACJIRA-1814