Setting Space Permissions using Forge Custom UI (Using new @forge/bridge functionality)

DennyMiller · July 30, 2021, 9:21am

I am aiming to add Space Permissions to a User or Group using Confluence Clouds Rest API: https://developer.atlassian.com/cloud/confluence/rest/api-group-space-permissions/

With the new ‘requestConfluence’ function, I can call confluence requests without needing to invoke to a resolver (This works for other endpoints in the confluence cloud Rest API), however the /wiki/rest/api/space/${spaceKey}/permission endpoint returns a 401 unauthorized error.
The following permissions are in my manifest:

- storage:app
    - read:confluence-space.summary
    - read:confluence-groups
    - read:confluence-user
    - write:confluence-groups
    - read:confluence-props
    - write:confluence-props
    - search:confluence
    - write:confluence-space
    - manage:confluence-configuration

Example using new ‘requestConfluence’ outside Resolver

import {requestConfluence} from "@forge/bridge";

export const addPermissionToNewGroup = async (spaceKey, groupName) => {
//bodyData should grant read permissions to the group provided (per the docs groupId or groupName can be provided) 
    let bodyData = `{
        "subject": {"type": "group","identifier": "${groupName}"},
        "operation": {"key": "read","target": "space"},
    }`;
    const response = await requestConfluence(`/wiki/rest/api/space/${spaceKey}/permission`, {
        method: 'POST',
        headers: {
            'Accept': 'application/json',
            'Content-Type': 'application/json'
        },
        body: bodyData
    });
    console.log(response);
    console.log(response.status); //401
    return await response.status;
}

The following response is given:

{
  "headers": {},
  "ok": false,
  "status": 401,
  "statusText": "Unauthorized",
  "body": {
    "code": 401,
    "message": "Unauthorized; scope does not match"
  }
}

In the Rest API docs, in the Forge section, this endpoint states:

This API resource doesn't support Oauth2 (3LO). See alternate authorization methods:

So how is this possible in Forge? Is there a workaround/alternative endpoint, or is this not extended to work within Forge CustomUI?

Update: On a related note, there seems to not be any description in the docs on how to retrieve space permissions?
Update2 This has been tested using a resolver definition incase asApp or asUser would help - it doesn’t.

Dmitrii · July 31, 2021, 12:00pm

@DennyMiller this isn’t helpful indeed

This API resource doesn’t support Oauth2 (3LO). See alternate authorization methods:

I will ask our engineers to look at this on Monday.

PeterYu · August 2, 2021, 1:55am

Hi @DennyMiller, the Confluence docs link notes that this REST API does not support apps, including when impersonating a user, so calling it won’t be possible in Forge.

DennyMiller · August 2, 2021, 7:35am

Hi @PeterYu , thanks for the response.
So is there any plan to support the API endpoints that are currently not supported within Forge? If not, is this only achievable with a full-blown Connect app (or potentially a connect on Forge app)?
With Forge lacking full Confluence (and Jira) cloud API capabilities, this presents a blocker with our development of migrating our server/DC apps to cloud.
Update “Connect apps cannot access this REST resource.” Sooo… we have no way for our App to access this endpoint?

DennyMiller · August 2, 2021, 3:34pm

What are the ways in which the following can be achieved:

Retrieving Space Permissions and/or Group Permissions (Which groups have permissions e.g.all groups with ‘read’ permissions)
Adding Permissions to Groups (Creating a group is fine but without any permissions to the product/spaces, the group is essentially useless)

If there is no way to achieve this functionality in Cloud using Forge (and from the looks of it, also using Connect), why is this endpoint listed in the Confluence Cloud Rest API as an endpoint we can access/view/use?

PeterYu · August 10, 2021, 11:42am

Retrieving Space Permissions can be done via the get Space API, but it doesn’t look like permissions can be added to groups programatically unfortunately.

The endpoint is listed on the API because it may be called directly by users, with apps only permitted to call a subset of the listed endpoints.

DennyMiller · August 16, 2021, 10:19am

Does this not just retrieve Custom Content space permissions? (As opposed to the default Space Permissions table - which groups can view/edit etc)

With this information, it sounds like it would not be possible to do the following using the rest API:

Create a new group (e.g. ‘group-clone’)
Retrieve all space permissions of an existing group (e.g. ‘group’) - this would include what actions that members of ‘group’ have inside the given space (read/delete…)
Add the found permissions for ‘group-clone’ (essentially cloning the groups space permissions).

When it comes to usability, our users would not want to use our app to perform these operations, only to have to go into the space settings to manually add the required permissions.