Unable to store user properties from Jira add-on UI, getting a 403

Hello,

I’m trying to save user properties from a Jira cloud add-on, but I’m getting a 403 return code. The scenario is that the current logged in user trigger a property saving thru the UI (the following code is running in the client side/UI).

Any clue on what’s missing? Thank you!

F.

Code excerpt:

setupAjax: function()
  {
    var token = $("meta[name=token]");

    $.ajaxSetup(
    {
      headers: { 
        'Authorization': 'JWT ' + token.attr("content"),
        'Accept': 'application/json',
        'Content-Type': 'application/json' }
    });
  }

AP.require('request', function(request)
      {
        request(
        {
          url: '/rest/api/3/user/properties/' + propertyKey + '?accountId=' + deeperData.atlassianAccountId,
          type: 'PUT',
          body: deeperData.productTourSections,
          success: function(response)
          {
            console.log("saveUserPropertiesPromise():success");
            console.log(response);
          },
          error: function(response)
          {
            console.log("saveUserPropertiesPromise():error");
            console.log(response);
          }
        });
      });

Add-on descriptor excerpt:

"scopes": [ 
      "READ",
      "WRITE",
      "DELETE",
      "PROJECT_ADMIN",
      "ADMIN",
      "ACT_AS_USER" 
    ]

What I recall AP.requests are executed with current user permissions. If an user you use has no permission to change user property permission ( I believe you need to be an admin to do so) you will get 403

Hi @maciej.dudziak,

Thank you for your reply. The AP.request is executed under current user permission (the request tries a PUT for the user logged in Jira). But it fails.

Would there be some configuration to perform on Jira cloud server side?

Thank you,

Fred

Hi again,

Here the exact code I’m trying to run inside Chrome’s console (just anonymized the accountId), still getting a 403: any clue someone?

AP.request(
        {
          url: '/rest/api/2/user/properties/' + "huminder.program-board.product-tour" + '?accountId=' + 'x-x-x-x-x',
          type: 'PUT',
          body: {
    selectProject: false,
    graphMenu: false,
    leftMenu: false
  },
          success: function(response)
          {
            console.log("saveUserPropertiesPromise():success");
            console.log(response);
          },
          error: function(response)
          {
            console.log("saveUserPropertiesPromise():error");
            console.log(response.responseText);
          }
        });```

I have just looked into docs and it states:

Permissions required:

  • Administer Jira global permission, to set a property on any user.
  • Access to Jira, to set a property on the calling user’s record.

Note: These user properties are unrelated to the Jira properties that are set in Jira.

Apps cannot access this REST resource.

That is strange, we have it in production and we use backed (connect express) to set user property. The call is executed by the app ( we have ADMIN in scope), however docs states that Apps cannot access this resource. On the other hand I remember we decided to make the call by App, because it didn’t work when property was set by the calling user ( which was strange)

I am confused now, however it works in production