Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Script Runner - Script Fragment and REST Endpoint restriction based on project's role.

Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
April 23, 2018


I'd like to restrict Script Fragment and REST Endpoint for users in specific project role.
I detected strange behavior with ApplicationUser returned by "ComponentAccessor.getJiraAuthenticationContext().getLoggedInUser()"


1. I have a script fragment that executes specific rest endpoint with defined project Key: /rest/scriptrunner/latest/custom/myRestendpointFunction?project=${project.key}
Fragment location: jira.project.sidebar.navigation

import com.atlassian.jira.component.ComponentAccessor
import com.atlassian.jira.project.ProjectManager
import com.atlassian.jira.project.Project;
def projectKey = jiraHelper.project?.key;
def currentUser = ComponentAccessor.getJiraAuthenticationContext().getLoggedInUser()
def projectRoleManager = ComponentAccessor.getComponentOfType(ProjectRoleManager);
def projectManager = ComponentAccessor.getProjectManager();
def role = projectRoleManager.getProjectRole("Admin");
Project projectObj = projectManager.getProjectObjByKey(projectKey)
return projectRoleManager.isUserInProjectRole(currentUser, role, projectObj)


If am logged as user who is in Admin Role in current project, I see this fragment in project sidebar section.
If I am logged as user who is not in Admin role, I don't see this fragment.
So looks like everything is ok at this step.

2. I have to restrict my Rest Endpoint based on project role.
I use the same logic as in previous step - check project and user returned by "ComponentAccessor.getJiraAuthenticationContext().getLoggedInUser()".
Problem is that this "getLoggedInUser()" returns me the same user with admin role regardless who is executing this rest endpoint
a) I logged as user with Admin Role in current project, execute rest endpoint URL directly and "getLoggedInUser()" returns me the correct user
b) I open another browser, logged as another user who is not in Admin role, execute rest endpoint URL directly, but "getLoggedInUser()" returns me the same user as in previous (a) step (user in admin role).

So, looks like "ComponentAccessor.getJiraAuthenticationContext().getLoggedInUser()" returns different values in Script fragment and in rest Endpoint.

I found a solution - user "Get the user making the request" example in to get correct user in Rest Endpoint, however I don't understand what is wrong with "getLoggedInUser()"...

Could you help me to understand this?


Thank you in advance,

1 answer

Suggest an answer

Log in or Sign up to answer
0 votes
Rinaldi Michael July 11, 2023

I know this is a really old post. Just wanted to know if anyone found a solution to this. 
Theoretically, it feels like checking the logged in user would allow you to restrict users from accessing a REST Endpoint. But it seems that if one user runs the REST Endpoint, every other user who accesses it for the next few minutes gets the same response.

AUG Leaders

Atlassian Community Events