Permissions required to call requestJira

wadc · November 3, 2020, 5:08pm

We are trying to implement some forge validators as a part of considering the now-required cloud migration.

Following the tutorial we have been able to get the ‘issue-is-assigned-validator’ example to work on a default software project with the ‘Default software scheme’ permission scheme.

We then migrated one of our server projects (with its associated permission scheme) and attached this validator to a transition. The transition fails noting a likely bug in the forge app. When we insert logging statements:

export const run = async ({ issue }) => {
	console.log(issue);
	const { key: issueKey } = issue;
	const response = await api.asApp().requestJira(`/rest/api/3/issue/${issueKey}`);
	console.log(response);

We see:

INFO    2020-11-03T16:05:13.940Z 9b25c2be-1aac-49b8-b090-49e3e6eb6755 { id: 18274, key: 'XX-2033' }
INFO    2020-11-03T16:05:14.353Z 9b25c2be-1aac-49b8-b090-49e3e6eb6755 {
  text: '[Function: text]',
  json: '[Function: json]',
  arrayBuffer: '[Function: arrayBuffer]',
  ok: false,
  status: 404,
  statusText: 'Not Found'
}

Which appears to be a permission problem. The manifest.yml does have:

permissions:
  scopes:
    - read:jira-work

And in looking at the jira rest API for the Get issue endpoint it shows:

Permissions required:
Browse projects project permission for the project that the issue is in.
If issue-level security is configured, issue-level security permission to view the issue.

We do not have issue-level security, so we focused on the Browse projects permission. The key difference here is that in the default project that worked this permission is granted to ‘Any logged in user’.

When we add ‘Any logged in user’ to our project’s permission scheme the validator does work. However, we would like to have these permissions be more restrictive.

If I remove ‘Any logged in user’ and add groups that contain both the user executing the transition and the user who created the Forge project token, the validator fails with a permission issue again.

I do not seem to be able to have this example validator function with anything more restrictive for Browse Projects than ‘Any logged in user’. Is there any way to accomplish this (or more detail I can give you)?

Thank you.

wadc · November 3, 2020, 7:44pm

One additional note…I can call the /rest/api/3/issue/<issue_id> rest api endpoint using the same token I created for Forge and get the correct results.

It appears the forge call is failing for permission reasons, but the same call via python requests works fine.

pvlasov · November 3, 2020, 10:16pm

Hello @wadc! That’s correct, at the moment .asApp calls only have access to the Jira projects only with the default permissions scheme. The team is actively working on this problem, but I cannot provide you with an estimate yet.

I will follow up on this thread when it’s done.

Thanks,
Pavel

wadc · November 11, 2020, 9:50pm

@pvlasov thank you.

So is there any workaround for a validator used in a project where you don’t want every logged in user to be able to see the issues?