Hi community,
I’m trying to secure my connect app’s configure route, which scope is “read” for now.
- I added a condition like
"configurePage": {
"url": "/plugin/adminPagePro",
"key": "configure",
"name": {
"value": "My plugin Setup Page"
},
"conditions": [
{
"condition": "user_is_sysadmin"
}
]
}
but that’s not enough.
- I’m now trying to secure the route itself and I was wondering how to check by code (Java) if the connected user has the sysadmin right. Would any of you have an idea ?
Thanks a lot for your help,
Best regards,
Sylvain
Hi Sylvain,
Welcome to the community.
You can use the mypermissions REST API to request the permissions the current user has, caching the response would be a good idea to make sure you don’t git this endpoint for every single request every time. Usually a couple of hours would be a good starting point for cache duration.
Since you specifically mentioned Java, I’m assuming you are using the atlassian-connect-spring-boot
If this is the case, then you could implement something like the org.springframework.web.servlet.AsyncHandlerInterceptor that would check permission requirements for an endpoint.
Cheers,
Mark
Hi Mark,
Thanks a lot for your quick answer.
I saw this API end-point but I couldn’t get it work as expected. I’m using a Java custom implementation (not the springboot connect framework) and I don’t understand how Jira will know which user is calling the end-point.
There might some other information to be sent to the API, right ?
Cheers,
Sylvain
Hmm … I could get it work with your advice and that’s great ! Thanks again.
However, I’m not sure to fully understand how Jira knows who is asking for the permissions 
Btw, what permission should I check to prevent access to the admin page of my app with insufficient privilege ?
Cheers,
I thought everything was working fine but … it happened not to be the case.
The end-point can be requested and I got for example the answer :
{
"permissions": {
"ADMINISTER": {
"id": "0",
"key": "ADMINISTER",
"name": "Administer Jira",
"type": "GLOBAL",
"description": "Create and administer projects, issue types, fields, workflows, and schemes for all projects. Users with this permission can perform most administration tasks, except: managing users, importing data, and editing system email settings.",
"havePermission": false
},
"SYSTEM_ADMIN": {
"id": "44",
"key": "SYSTEM_ADMIN",
"name": "Jira System Administrators",
"type": "GLOBAL",
"description": "Ability to perform all administration functions. There must be at least one group with this permission.",
"havePermission": false
}
}
}
I always got a "havePermission": false answer whatever (global) permission I checked, even when connected with the main user I used to test in a Jira cloud for dev environment. I tried also to modify my app’s scope to include “admin” or “act_as_user” but without success.
Back to my previous question, how does Jira know who is requesting their permission ?
Btw, which permission should I check to prevent access to my app’s admin page with insufficient privilege ?
Cheers,
Ok, I found some of the answers …
- the permission to check is ADMINISTER
- I managed to get an answer with the correct permission (ADMINISTER but not SYSTEM_ADMIN) adding a JWT with QSH to the call to Jira but … I always get the same response whichever user is asking.
It happens most probably because I’m still doing an anonymous call but I don’t know how to tell Jira who is asking, meaning who is the connected user. Any way to extract the accountId from the JWT ?
For the record, issue fixed by :
- extracting user account from incoming request’s JWT
- calling JIRA api check permission for this account ID
- verify the global permission ADMINISTER is set
Cheers,
Hi @SylvainCaillet1
I’m sorry I misted the notifications on this thread.
Good to read that you where able to resolve your blocker.
You are indeed correct, the JWT contains the details of the user invoking your app through Jira.
This you can use to then call Jira as you found.
Cheers,
Mark