We are trying to implement some forge validators as a part of considering the now-required cloud migration.
Following the tutorial we have been able to get the ‘issue-is-assigned-validator’ example to work on a default software project with the ‘Default software scheme’ permission scheme.
We then migrated one of our server projects (with its associated permission scheme) and attached this validator to a transition. The transition fails noting a likely bug in the forge app. When we insert logging statements:
export const run = async ({ issue }) => {
console.log(issue);
const { key: issueKey } = issue;
const response = await api.asApp().requestJira(`/rest/api/3/issue/${issueKey}`);
console.log(response);
We see:
INFO 2020-11-03T16:05:13.940Z 9b25c2be-1aac-49b8-b090-49e3e6eb6755 { id: 18274, key: 'XX-2033' }
INFO 2020-11-03T16:05:14.353Z 9b25c2be-1aac-49b8-b090-49e3e6eb6755 {
text: '[Function: text]',
json: '[Function: json]',
arrayBuffer: '[Function: arrayBuffer]',
ok: false,
status: 404,
statusText: 'Not Found'
}
Which appears to be a permission problem. The manifest.yml does have:
permissions:
scopes:
- read:jira-work
And in looking at the jira rest API for the Get issue endpoint it shows:
Permissions required:
Browse projects project permission for the project that the issue is in.
If issue-level security is configured, issue-level security permission to view the issue.
We do not have issue-level security, so we focused on the Browse projects permission. The key difference here is that in the default project that worked this permission is granted to ‘Any logged in user’.
When we add ‘Any logged in user’ to our project’s permission scheme the validator does work. However, we would like to have these permissions be more restrictive.
If I remove ‘Any logged in user’ and add groups that contain both the user executing the transition and the user who created the Forge project token, the validator fails with a permission issue again.
I do not seem to be able to have this example validator function with anything more restrictive for Browse Projects than ‘Any logged in user’. Is there any way to accomplish this (or more detail I can give you)?
Thank you.