0

I am using some code for a REST endpoint and I want to make sure that the only users who are allowed to execute this REST endpoint are logged in and are also part of the jira-users group. I am using the following code below and more specifically the line httpMethod: "GET", groups: ["jira-users"]) to ensure that the logged in user is part of the group jira-users, is this correct or should I do it another way?

import groovy.json.JsonBuilder
import groovy.transform.BaseScript
import com.atlassian.jira.issue.Issue;
import javax.ws.rs.core.Response
import org.apache.log4j.Logger
import groovy.transform.BaseScript
import com.onresolve.scriptrunner.runner.rest.common.CustomEndpointDelegate
import javax.ws.rs.core.MultivaluedMap
import com.atlassian.jira.component.ComponentAccessor
import com.onresolve.scriptrunner.runner.ScriptRunnerImpl
import com.atlassian.sal.api.ApplicationProperties
import com.atlassian.sal.api.UrlMode
import javax.ws.rs.core.Response
import Helper


@BaseScript CustomEndpointDelegate delegate
def log = Logger.getLogger("atlassian-jira.log")
def bulkSplitterHashMap= Helper.getBulkSplitterHashMap()
int iTracSuperFeatureSplitterIssueTypeID = bulkSplitterHashMap["iTracSuperFeatureSplitterIssueTypeID"] ;
int iTracSuperFeatureSplitterProjectID =  bulkSplitterHashMap["iTracSuperFeatureSplitterProjectID"] ;
String iTracSuperFeatureSplitterURL =bulkSplitterHashMap["iTracSuperFeatureSplitterURL"];



callMounaBulkSplitter(httpMethod: "GET", groups: ["jira-users"]) {
  MultivaluedMap queryParams, String body ->
  def user = ComponentAccessor.jiraAuthenticationContext?.loggedInUser
  def issueId = queryParams.getFirst("issueId") as Long
  Issue myissue = ComponentAccessor.getIssueManager().getIssueObject(issueId)
  def issueKey = myissue.getKey()
  def project = myissue.getProject()
  def baseUrl = ScriptRunnerImpl.getOsgiService(ApplicationProperties).getBaseUrl(UrlMode.ABSOLUTE)
  def iTracSuperFeatureSplitterURL2 = iTracSuperFeatureSplitterURL.replaceAll(":1:", issueKey)
  def iTracSuperFeatureSplitterURL3 = iTracSuperFeatureSplitterURL2.replaceAll(":2:", user.getUsername())
  def projectID = project.get("id")
  int projectIDInt = projectID as int
  if (iTracSuperFeatureSplitterProjectID == projectIDInt && iTracSuperFeatureSplitterIssueTypeID == Long.valueOf(myissue.getIssueTypeId())) {
    Response.temporaryRedirect(URI.create(iTracSuperFeatureSplitterURL3)).build()
  }

}
Mouna Camelia Hammoudi
  • 596
  • 1
  • 5
  • 19

1 Answers1

1

Yes, this is exact correct way as stated in ScriptRunner documentation.

stuck
  • 1,477
  • 2
  • 14
  • 30
  • does it also make sure that the user is logged in? – Mouna Camelia Hammoudi Sep 29 '22 at 08:31
  • Well, "logged in" is actually some kind out of context here since this is an endpoint and doesn't require an exact log-in to Jira. However, the REST endpoint will not work without authenticating to some user. And if you call this endpoint with a user yes it -some kinda- simulates the log in operation. So basically, yes :) – stuck Sep 29 '22 at 08:33