Thank you @MorganWang for such a detailed RFC and for bringing this to the Atlassian ecosystem far in advance to allow us to voice our opinions!
I must say that I’m a bit taken aback by this proposal, as it basically translates to “we don’t trust or partners nor our customers”, both expressed nicely in this sentence:
Based on the request for feedback, it becomes clear that the decision has already been made and that the discussion on whether or not guess access to apps will be blocked is not part of this RFC. So feel free to ignore this comment, but I’m going to voice it anyway:
Atlassian, you are making a mistake.
If you are really scared that Atlassian Marketplace Partners can leak customer information, you should stop selling apps. We can leak information on any given Sunday if we like. This is a risk your customers are fully aware of when they consciously install and purchase apps.
Telling Partners that they cannot be trusted with the responsibility of handling customer data, with implementing proper permissions checks (which we are already doing???) and telling customers that they are incapable of deciding for themselves whether or not they trust app vendors is… a bit rude and patronising.
I would have somehow understood if you would have told us it was to difficult (or not a priority) for Atlassian to implement a proper mechanism for customers to have control over which app (or even macro) they want to enable guest usage on. I can totally understand that you just want to ship this feature and not want to deal with the intricacies of adding guest support for apps. But what happened to “open company, no bullshit”?
I’m also curious how, in light of this decision to not trust partners nor customers, Atlassian views having apps on public pages/spaces in Confluence? We can also leak data on those pages 