Restricting access to the context data for Bitbucket Connect apps

What is changing?

We are going to restrict access to context data for all Connect apps soon. To use context parameters in a descriptor, you will need to add appropriate scopes to the scopes section of your descriptor.

Read more about context parameters

Why is it changing?

We are improving our security and transparency. We would like users to be aware of which data the connect app can use and explicitly grant access to it.

What do I need to do?

Some apps can be affected by this change and their descriptor should be updated. Please check if you use the correct scopes in your descriptor. Refer to the docs.

After the descriptor is updated users will need to reinstall your app to grant new scope permissions to it.

In the example below, scopes should include repository and account to access context parameters {repository.slug}, {repository.owner} ,{user.username} and evaluate condition has_account_permission. If these scopes are not provided the context parameters won’t be replaced.

{
    "key": "example-app",
    "name": "Example App",
    "description": "An example app for Bitbucket",
    "vendor": {
        "name": "Angry Nerds",
        "url": "https://www.example.com"
    },
    "baseUrl": "https://www.example.com",
    "modules": {
      "webItem": [{
        "url": "repositories/{repository.slug}?user={user.username}", 
        "name": {
          "value": "Pullrequest Report Example", 
          "key": "pullrequest-example-web-item", 
          "location": "org.bitbucket.pullrequest.summary.actions"
        },
        "conditions": [{
           "condition": "has_account_permission",
           "target": "repository.owner",
           "params": {
             "permission": "admin"
           }
        }]
      }]
    },
    "scopes": ["account", "repository", "repository:admin"]
}

By when do I need to do it?

On 17 May 2021 we will change access to context data for all apps. Please, update your app scopes before the deadline.