Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Script Runner - Script Fragment and REST Endpoint restriction based on project's role.

fjodors
fjodors
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
April 23, 2018

Hello

I'd like to restrict Script Fragment and REST Endpoint for users in specific project role.
I detected strange behavior with ApplicationUser returned by "ComponentAccessor.getJiraAuthenticationContext().getLoggedInUser()"

For.e.g.

1. I have a script fragment that executes specific rest endpoint with defined project Key: /rest/scriptrunner/latest/custom/myRestendpointFunction?project=${project.key}
Fragment location: jira.project.sidebar.navigation
Restriction:

import com.atlassian.jira.component.ComponentAccessor
import com.atlassian.jira.security.roles.ProjectRoleManager
import com.atlassian.jira.project.ProjectManager
import com.atlassian.jira.project.Project;
def projectKey = jiraHelper.project?.key;
def currentUser = ComponentAccessor.getJiraAuthenticationContext().getLoggedInUser()
def projectRoleManager = ComponentAccessor.getComponentOfType(ProjectRoleManager);
def projectManager = ComponentAccessor.getProjectManager();
def role = projectRoleManager.getProjectRole("Admin");
Project projectObj = projectManager.getProjectObjByKey(projectKey)
return projectRoleManager.isUserInProjectRole(currentUser, role, projectObj)

 

If am logged as user who is in Admin Role in current project, I see this fragment in project sidebar section.
If I am logged as user who is not in Admin role, I don't see this fragment.
So looks like everything is ok at this step.

2. I have to restrict my Rest Endpoint based on project role.
I use the same logic as in previous step - check project and user returned by "ComponentAccessor.getJiraAuthenticationContext().getLoggedInUser()".
Problem is that this "getLoggedInUser()" returns me the same user with admin role regardless who is executing this rest endpoint
a) I logged as user with Admin Role in current project, execute rest endpoint URL directly and "getLoggedInUser()" returns me the correct user
b) I open another browser, logged as another user who is not in Admin role, execute rest endpoint URL directly, but "getLoggedInUser()" returns me the same user as in previous (a) step (user in admin role).

So, looks like "ComponentAccessor.getJiraAuthenticationContext().getLoggedInUser()" returns different values in Script fragment and in rest Endpoint.

I found a solution - user "Get the user making the request" example in https://scriptrunner.adaptavist.com/latest/jira/rest-endpoints.html to get correct user in Rest Endpoint, however I don't understand what is wrong with "getLoggedInUser()"...

Could you help me to understand this?

 

Thank you in advance,
Fyodor.

Answer
Watch
Like Rinaldi Michael likes this
1153 views

1 answer

Suggest an answer

Log in or Sign up to answer
0 votes
Rinaldi Michael
Rinaldi Michael July 11, 2023

I know this is a really old post. Just wanted to know if anyone found a solution to this. 
Theoretically, it feels like checking the logged in user would allow you to restrict users from accessing a REST Endpoint. But it seems that if one user runs the REST Endpoint, every other user who accesses it for the next few minutes gets the same response.

Reply
groups-icon
App Central
TAGS
AUG Leaders

Atlassian Community Events

    See all events