REST API returns "Parent page view is restricted" while anonymous users can freely access content

I’m building a Connect addon that needs to fetch content body from the backend. Currently I’m trying to use /rest/api/content/CONTENT_ID?expand=body.storage and sign the request using JWT and shared secret that I’ve got during addon installation (requested scopes: READ, WRITE).

Unfortunately that’s what I get in return:

{
    "statusCode": 403,
    "data": {
        "authorized": false,
        "valid": false,
        "errors": [
            {
                "message": {
                    "key": "confluence.content.restricted.inherited",
                    "translation": "Parent page view is restricted",
                    "args": []
                }
            }
        ],
        "successful": false
    },
    "message": "Parent page view is restricted"
}

It says "authorized": false while the response also contains the header:
X-AUSERNAME: addon_eu.wisoft.slack.confluence
which seems to prove that the JWT signing has been done correctly.

Surprisingly when I do the same request as an anonymous user in incognito window I get the successful response.

Am I missing something or it looks like a bug?

This error message is indicating that the user cannot view the page, but the REST api has worked out that you should be permitted to see that specific content. This generally means that there are some inherited permissions preventing that user from viewing that page.

Check the parent page and its parent pages to see if there are any permissions for that specific user. Also check the space to see if there are any permissions preventing this user from viewing the content.

Thanks for your hints. I’ve just checked the permissions of the Space and indeed it has an explicit entry that disallows “view” to all content for an Addon User (however it still has add/delete permissions pages, blogs, comments, attachments and even the “admin” right). Surprisingly there is also an entry for anonymous users which allows them to “view” all content. That seems to answer the question about a root cause.

However I believe we didn’t configure it manually in our own Confluence. Moreover 80% out of a sample of 10 attempts on customer instances (reading from our server logs) fail in the same way…

  1. How could I confirm/disprove whether it is the default configuration for Addon Users?
  2. How could we manifest in our addon that we need this “view” permission by default?

I’m stuck on the same point now. Can someone please help me with this?

  1. How could I confirm/disprove whether it is the default configuration for Addon Users?
  2. How could we manifest in our addon that we need this “view” permission by default?