Permission issue when migrating app data to Content Property on Confluence Cloud

Hi lovely devs,

We’re using doing Confluence app data migration as follows:

  1. Export app data from server to cloud storage
  2. Upon receiving APP_DATA_UPLOADED migration webhook, get the exported data and save it to content property using REST API

However, we noticed that updating Content Property on step 2 is failing with restricted pages or when the migrated space does not have permission set for our app. A workaround is to remove the page restriction and add confluence-users group to the space before migration. However, this workaround is not practical for the customers.

Is there a way to bypass this permission issue?

7 Likes

Hi @BrigitteLeong,

Thanks for your question. From what I understand, your app has WRITE access scope as defined in Scopes for Atlassian Connect apps, but this doesn’t allow access to restricted pages or spaces.

There have been some new REST apis specifically for apps to apply permissions which came as a fix to

So something like Add new custom content permission to space might provide what you need. You might need to update your Connect descriptor to allow calls to that REST api.

Let me know if this helps.

Regards,
James.

3 Likes

Thanks for the suggestion @jrichards. Yes, my app initially has READ and WRITE scope but it is not able to update a page or its content property because it doesn’t have any space permission.

Space permission on Server

Migrated space permission on Cloud - Scaffolding App is missing

Adding SPACE_ADMIN scope solved the issue because the app is now granted the required space permissions.

Migrated space permission on Cloud - permission for Scaffolding App is applied during migration

However, I am still facing issue with updating pages with restrictions. I tried to use the delete restriction API but the request failed because the app doesn’t have access to restricted pages. Is there a way for the app to temporarily bypass page restriction during migration?

1 Like

Hi @BrigitteLeong,

I’ve been looking into this with some help from different teams and I’d like to make sure we understand the issue.

You’re trying to update the content properties of a page, I assume using this REST api

And you’re having an issue because pages with restrictions don’t allow the Connect app access to the content.

When a migration happens for a Space, we include content properties with the content. Are these new properties that you’re adding? Would it be possible to add them on server prior to migration? (e.g. on the next app update?)

Or is there some admin-activated task you could use to do the update from the admin console? This would mean marking the migration status as INCOMPLETE and posting a message saying a final task the to be performed and a link to the admin page in the cloud site.

Please note as well this recent change about content properties

Regards,
James

1 Like

Yes @jrichards, that is the issue that we’re facing. Thanks for the suggestions, I’m currently looking into both suggestions to see which one is more feasible for our app although I need more details on content property migration.

When a migration happens for a Space, we include content properties with the content. Are these new properties that you’re adding? Would it be possible to add them on server prior to migration? (e.g. on the next app update?)

The properties already exists on server but they’re not migrated over to cloud. We are using this interface on server: ContentPropertyManager (Atlassian Confluence 7.1.0 API). Are all content properties migrated or is there a requirement for content properties to be migrated? Does using an old interface (ContentPropertyManager) affect its migration?

Regards,
Brigitte

Hi @BrigitteLeong,

You can check if the content properties are exported by running a manual Space export, opening the zip file and looking in entities.xml for data in the <property name="pluginModuleKey"> elements.

Using the old interface shouldn’t be an issue. One of the main things related to https://jira.atlassian.com/browse/MIG-288 is that the pluginModuleKey has to match one of the available apps. If you’re doing something funky then the data will be migrated but might not get the ac: prefix.

What is the app and what is the exact content data so I can have a deeper look?

Regards,
James.

The app is Scaffolding and this is the exported data:

    <object class="BucketPropertySetItem" package="bucket.user.propertyset">
        <composite-id>
            <property name="entityName" type="string"><![CDATA[confluence_ContentEntityObject]]></property>
            <property name="entityId" type="long">114068787</property>
            <property name="key" type="string"><![CDATA[~metadata.3]]></property>
        </composite-id>
        <property name="type">5</property>
        <property name="booleanVal">false</property>
        <property name="doubleVal">0.0</property>
        <property name="stringVal"><![CDATA[<metadata> <entry>
    <string>aaa</string>
    <string>&lt;p&gt;This is a Scaffolding text data&lt;/p&gt;</string></entry></metadata>]]></property>
        <property name="textVal"><![CDATA[]]></property>
        <property name="longVal">0</property>
        <property name="intVal">0</property>
        <property name="dateVal"/>
    </object>

We are using ContentPropertyManager to add content properties to ContentEntityObjects (pages) and we noticed that there is no pluginModuleKey.

Does the app need to add pluginModuleKey property when creating content properties?
Or do we need to use CustomContentEntityObjects for it to be migrated? If so, is CustomContentEntityObject usable with page?

2 Likes

@BrigitteLeong Have you explored the option of custom content permission API, If custom content is created by your app then you can use our custom content permission API to add access for content own by your app.

Hi @DhiralPandya yes, we’ve looked at the API because it was suggested before. It is not relevant for our use case because we’re trying to add content property to a page, not custom content.