Getting users list: permissions issue
503 views
Skip to first unread message
Konstantin Mirin
Oct 18, 2015, 5:25:54 PM10/18/15
to atlassian-...@googlegroups.com
Hi there,
I’m stuck with a really simple task - get the list of users in JIRA.
Does anyone have a working solution for that?
My findings are below.
I saw that there is no such method in the API and there are workarounds (not all equivalent, but all would do for my purpose):
1) Get assignable users to the project or projects. Gives me 403 error.
/rest/api/2/user/assignable/multiProjectSearch?projectKeys=BIS
OR
/rest/api/2/user/assignable/search?project=BIS
Both give me 403 error
2) Get list of users with BROWSE permission for my project
/rest/api/2/user/viewissue/search?projectKey=BIS
I get 403.
3) Get lit of users with certain permissions
/rest/api/2/user/permission/search
I get 403 error
4) Search for users using autocomplete
/rest/api/2/user/search?username=konst
Returns nothing. When I type “konst” in the autocomplete in “Assign issue” dialog in the web-interface, I get the user I an looking for (myself)
Not sure how this works, but surely not as described in API
5) Get members of the group jira-users.
/rest/api/2/group/members?groupname=jira-users
/rest/api/2/group?groupname=jira-users&expand=users
I get 403.
Then I started to dig into the permissions scheme and here is what /mypermissions call looks like (browser user is JIRA administrator):
{
"VIEW_WORKFLOW_READONLY": true,
"CREATE_ISSUES": true,
"VIEW_DEV_TOOLS": true,
"BULK_CHANGE": true,
"CREATE_ATTACHMENT": true,
"DELETE_OWN_COMMENTS": true,
"WORK_ON_ISSUES": true,
"PROJECT_ADMIN": false,
"COMMENT_EDIT_ALL": false,
"ATTACHMENT_DELETE_OWN": true,
"WORKLOG_DELETE_OWN": true,
"CLOSE_ISSUE": true,
"MANAGE_WATCHER_LIST": false,
"VIEW_VOTERS_AND_WATCHERS": true,
"ADD_COMMENTS": true,
"COMMENT_DELETE_ALL": false,
"CREATE_ISSUE": true,
"DELETE_OWN_ATTACHMENTS": true,
"DELETE_ALL_ATTACHMENTS": false,
"ASSIGN_ISSUE": true,
"LINK_ISSUE": true,
"EDIT_OWN_WORKLOGS": true,
"CREATE_ATTACHMENTS": true,
"EDIT_ALL_WORKLOGS": false,
"SCHEDULE_ISSUE": true,
"CLOSE_ISSUES": true,
"SET_ISSUE_SECURITY": false,
"SCHEDULE_ISSUES": true,
"WORKLOG_DELETE_ALL": false,
"COMMENT_DELETE_OWN": true,
"ADMINISTER_PROJECTS": false,
"DELETE_ALL_COMMENTS": false,
"RESOLVE_ISSUES": true,
"VIEW_READONLY_WORKFLOW": true,
"ADMINISTER": false,
"MOVE_ISSUES": true,
"TRANSITION_ISSUES": true,
"SYSTEM_ADMIN": false,
"DELETE_OWN_WORKLOGS": true,
"BROWSE": true,
"EDIT_ISSUE": true,
"MODIFY_REPORTER": false,
"EDIT_ISSUES": true,
"MANAGE_WATCHERS": false,
"EDIT_OWN_COMMENTS": true,
"ASSIGN_ISSUES": true,
"BROWSE_PROJECTS": true,
"VIEW_VERSION_CONTROL": true,
"WORK_ISSUE": true,
"COMMENT_ISSUE": true,
"WORKLOG_EDIT_ALL": false,
"EDIT_ALL_COMMENTS": false,
"DELETE_ISSUE": false,
"USER_PICKER": false,
"CREATE_SHARED_OBJECTS": true,
"ATTACHMENT_DELETE_ALL": false,
"DELETE_ISSUES": false,
"MANAGE_GROUP_FILTER_SUBSCRIPTIONS": false,
"RESOLVE_ISSUE": true,
"ASSIGNABLE_USER": true,
"TRANSITION_ISSUE": true,
"COMMENT_EDIT_OWN": true,
"MOVE_ISSUE": true,
"WORKLOG_EDIT_OWN": true,
"DELETE_ALL_WORKLOGS": false,
"LINK_ISSUES": true
};
"VIEW_WORKFLOW_READONLY": true,
"CREATE_ISSUES": true,
"VIEW_DEV_TOOLS": true,
"BULK_CHANGE": true,
"CREATE_ATTACHMENT": true,
"DELETE_OWN_COMMENTS": true,
"WORK_ON_ISSUES": true,
"PROJECT_ADMIN": false,
"COMMENT_EDIT_ALL": false,
"ATTACHMENT_DELETE_OWN": true,
"WORKLOG_DELETE_OWN": true,
"CLOSE_ISSUE": true,
"MANAGE_WATCHER_LIST": false,
"VIEW_VOTERS_AND_WATCHERS": true,
"ADD_COMMENTS": true,
"COMMENT_DELETE_ALL": false,
"CREATE_ISSUE": true,
"DELETE_OWN_ATTACHMENTS": true,
"DELETE_ALL_ATTACHMENTS": false,
"ASSIGN_ISSUE": true,
"LINK_ISSUE": true,
"EDIT_OWN_WORKLOGS": true,
"CREATE_ATTACHMENTS": true,
"EDIT_ALL_WORKLOGS": false,
"SCHEDULE_ISSUE": true,
"CLOSE_ISSUES": true,
"SET_ISSUE_SECURITY": false,
"SCHEDULE_ISSUES": true,
"WORKLOG_DELETE_ALL": false,
"COMMENT_DELETE_OWN": true,
"ADMINISTER_PROJECTS": false,
"DELETE_ALL_COMMENTS": false,
"RESOLVE_ISSUES": true,
"VIEW_READONLY_WORKFLOW": true,
"ADMINISTER": false,
"MOVE_ISSUES": true,
"TRANSITION_ISSUES": true,
"SYSTEM_ADMIN": false,
"DELETE_OWN_WORKLOGS": true,
"BROWSE": true,
"EDIT_ISSUE": true,
"MODIFY_REPORTER": false,
"EDIT_ISSUES": true,
"MANAGE_WATCHERS": false,
"EDIT_OWN_COMMENTS": true,
"ASSIGN_ISSUES": true,
"BROWSE_PROJECTS": true,
"VIEW_VERSION_CONTROL": true,
"WORK_ISSUE": true,
"COMMENT_ISSUE": true,
"WORKLOG_EDIT_ALL": false,
"EDIT_ALL_COMMENTS": false,
"DELETE_ISSUE": false,
"USER_PICKER": false,
"CREATE_SHARED_OBJECTS": true,
"ATTACHMENT_DELETE_ALL": false,
"DELETE_ISSUES": false,
"MANAGE_GROUP_FILTER_SUBSCRIPTIONS": false,
"RESOLVE_ISSUE": true,
"ASSIGNABLE_USER": true,
"TRANSITION_ISSUE": true,
"COMMENT_EDIT_OWN": true,
"MOVE_ISSUE": true,
"WORKLOG_EDIT_OWN": true,
"DELETE_ALL_WORKLOGS": false,
"LINK_ISSUES": true
};
OK, let’s dig further. Looks like I need additional scope as described here: https://developer.atlassian.com/static/connect/docs/latest/scopes/scopes.html
So my descriptor now looks like:
…
"authentication": {
"type": "jwt"
},
"lifecycle": {
// atlassian-connect-express expects this route to be configured to manage the installation handshake
"installed": "/installed"
},
"scopes": [
"READ",
"PROJECT_ADMIN"
],
"modules": {
"type": "jwt"
},
"lifecycle": {
// atlassian-connect-express expects this route to be configured to manage the installation handshake
"installed": "/installed"
},
"scopes": [
"READ",
"PROJECT_ADMIN"
],
"modules": {
…
I re-installed the plugin in my JIRA instance. So to make it clear, I specifically request the permission PROJECT_ADMIN. It is not given to me. And endpoints that depend on it fail. I know that permissions of a plugin is an intersection of what is available to the plugin and to the user. But this is not the case - my browser user has full permissions!
By the way, endpoints for listing users do not require PROJECT_ADMIN or ADMIN permissions… This is just READ…
At the end I don’t have a working solution for my task. I need to get a list of users for a project. But just a list of all users would do as well.
I could scan all issues and get users from them, but that’s not the most intelligent way to do it, eh?
Jake Furler
Oct 19, 2015, 1:10:29 AM10/19/15
to Atlassian Connect Dev
Hi Konstantin,
I just made a test add-on with PROJECT_ADMIN scope the same way you did in your descriptor, and I was able to access the /rest/api/2/user/assignable/search endpoint from both the add-on server and the client javascript. How are you determining that the permission is not given to you - are the endpoints still returning a 403 when you include the PROJECT_ADMIN scope? Could you post an example of how you're calling the REST endpoint?
Thanks,
Jake
Reply all
Reply to author
Forward
0 new messages