Using REST API restricted to admins in non-admin use case

For my plugin I want to use the REST API to get members of a group. This REST API is allowed only for admins or sysadmins, but as part of my plugin I would like to use it in non-admins context via JavaScript from my plugin web panel.

Is there any nice idea, how to make this specific REST API also available for non-admins?

I thougth about copying the Java class from Jira source code, change corresponding authorization code and deploy the new class as REST API as part of my own plugin. (Btw. Do you know, in which Jira package to look for the code?)

Do you see other ways to get the job done?

Best regards
Holger

“Danger Will Robinson” - [Robot that I can’t remember the name of] ( @pvandevoorde - feature request: can we have memes ? )

You’ll expose a information leak if you just do this. My suggestion would be to implement your own rest api where you perform the logic yourself (it’s not that much logic) but more importantly - have a permission setting somewhere (either through global settings or your own configuration page) where the administrator has to accept what you’re wanting them to do. This way somebody has to opt-in into letting things be released. Yes it’s more work for the admin, but they’ll appreciate it and feel more comfortable with it.

As far as copying Jira’s code and releasing it into your source code - I believe that’s a no-no…

1 Like

Yes, I agree to the information leak problem. I have to restrict the API to just work in the context of my plugin and not as a general method to retrieve all group member ships etc.

And yes, copying would be a no-no. I am thinking about subclass or re-use mashalling methods, beans, paging algorithms.

1 Like