Can only system administrators setup a webservice connection for ConfiForms?

Hi @Alex Medved _ConfiForms_ 

By system administrator, I actually meant Confluence administrator. Thank you for using the more accurate term.

But why can only a Confluence administrator configure a WS connection? This makes the use of REST APIs inflexible, as I have to ask my admin colleagues for support every time. Also, the list is likely to grow as more ConfiForms developers use different WebServices.

I suspect this is for security reasons, to separate and hide the credentials from the ConfiForms code.

Right?

Hi

This is by design and allows your responsible personnel to be aware o the connections to external systems the Confluence has and may do.

This can be changed in the ConfiForms settings - either lowering the security and allowing non admin users to configure connections (allowUserConnections) or increasing the follow whitelists and so on (whitelistEnforcement)

Alex

Hi @Alex Medved _ConfiForms_ 

this is a great suggestion. Since I don't have access to ConfiForms settings, I didn't know about allowUserConnections or whitelistEnforcement.

I will discuss this with my colleagues.

Thanks for your support! 👍

Best regards
Ulrik

When enabled, the UI to configure web-service connections will appear in user profile settings.

Alex

Hi @Alex Medved _ConfiForms_ ,

one last question to whiteListEnforcement you have suggested above. The meaning of this setting in respect to Web Service connections is not clear to me.

To check the function of the allowUserConnections or whitelistEnforcement settings, I organized a Confluence DC test instance where I have access to the admin settings

allowUserConnections

• In the admin section "ConfiForms general settings", I enabled allowUserConnections and was able to configure a web service connection in my user profile settings. Exactly as you have described above. And, by doing this, I was able to access external public REST API servers. 👍

whiteListEnforcement

• I enabled whiteListEnforcement and added one of the public servers to the Allowlist. I thought, this would allow to connect to the server without a Web Service connection. But this did not work (error message: Webservice connection is not selected). 
• I left the whiteListEnforcement setting enabled and removed the public server from the Allowlist. Expected behaviour: As none of the used servers is on the list, no data should be read via REST. But in fact, I was still able to read the data.

Could you please explain the meaning of whiteListEnforcement in respect to Web Service connections a bit more?

Thanks + best regards
Ulrik

Hi

This is what whiteListEnforcement is all about

https://confluence.atlassian.com/conf59/configuring-the-whitelist-792499785.html

And ConfiForms follows these rules and will allow connections only to these servers (you will still need to define a connection in ConfiForms, but only the ones that match the rules in the whitelisting will be work)

Alex

Hi @Alex Medved _ConfiForms_ 

thanks for your explanation. However, as I described above in the second bullet point under whitelistEnforcement, it doesn't work as expected.

At least not in my test environment. (BTW: The term whitelist has been changed to allowlist in the Confluence user interface. Reference)

My test environment:

• Confluence DC 7.19.1
• ConfiForms 3.3.9 (Evaluation, Unlimited-user commercial license, Data Center)
• Allowlist is turned on and list is empty (see screenshot).
• Settings whitelistEnforcement and allowUserConnections are enabled.
• ConfiForms user settings - Web services connections: see screenshot.
• ConfiForms IFTTT macro settings as showed in storage format below.

Expected result:

• As the allowlist is empty, Confluence will display an error and prompt the user to add the URL to the allowlist. [Reference]

Test result:

• No error message.
• Expected json data is fetched from the rest api server.

Am I doing anything wrong or could it be a bug?

Regards
Ulrik

<ac:structured-macro ac:macro-id="c357d447-51a8-4586-99f6-bc0a0ccd1d65" ac:name="confiform-ifttt" ac:schema-version="1">
<ac:parameter ac:name="action">WebService Request</ac:parameter>
<ac:parameter ac:name="extras">88f09f74e9b21e8f20f7e2efeea29306</ac:parameter>
<ac:parameter ac:name="event">onCreated</ac:parameter>
<ac:parameter ac:name="title">/get?parm1=val1&amp;parm2=val2</ac:parameter>
<ac:parameter ac:name="resultName">restResponse</ac:parameter>
<ac:parameter ac:name="who">GET</ac:parameter>
<ac:rich-text-body>
<p>
<br/>
</p>
</ac:rich-text-body>
</ac:structured-macro>

Hi @Ulrik Schoth 

You are right, it seems that the service that allows us to check that was not properly working in the plugin anymore (not being properly looked up - seems that something has silently changed on the Confluence side)

We have fixed that in the upcoming 3.4.0 version of ConfiForms

Alex

Hi @Alex Medved _ConfiForms_ 

that's great to hear! I'm looking forward to the new version.

Best regards
Ulrik

Hi @Alex Medved _ConfiForms_ ,

I have updated ConfiForms to version 3.4.0 in my test environment and can confirm that the behaviour of the whitelistEnforcement setting is now as expected:

• After the update, I could not retrieve data from any of my configured rest api servers. This made sense as the allowlist (or whitelist) was empty. Instead, an error message was displayed (see screenshot as an example).
• After I added all the rest server domains to the allowlist, the data could be retrieved again.

Thanks for providing a fix so quickly. 🤩

Best regards
Ulrik