jiraatlassian-sourcetreejira-rest-apijira-pluginatlassian-plugin-sdk

Make sure that logged in user making use of REST endpoint is part of jira-users


I am using some code for a REST endpoint and I want to make sure that the only users who are allowed to execute this REST endpoint are logged in and are also part of the jira-users group. I am using the following code below and more specifically the line httpMethod: "GET", groups: ["jira-users"]) to ensure that the logged in user is part of the group jira-users, is this correct or should I do it another way?

import groovy.json.JsonBuilder
import groovy.transform.BaseScript
import com.atlassian.jira.issue.Issue;
import javax.ws.rs.core.Response
import org.apache.log4j.Logger
import groovy.transform.BaseScript
import com.onresolve.scriptrunner.runner.rest.common.CustomEndpointDelegate
import javax.ws.rs.core.MultivaluedMap
import com.atlassian.jira.component.ComponentAccessor
import com.onresolve.scriptrunner.runner.ScriptRunnerImpl
import com.atlassian.sal.api.ApplicationProperties
import com.atlassian.sal.api.UrlMode
import javax.ws.rs.core.Response
import Helper


@BaseScript CustomEndpointDelegate delegate
def log = Logger.getLogger("atlassian-jira.log")
def bulkSplitterHashMap= Helper.getBulkSplitterHashMap()
int iTracSuperFeatureSplitterIssueTypeID = bulkSplitterHashMap["iTracSuperFeatureSplitterIssueTypeID"] ;
int iTracSuperFeatureSplitterProjectID =  bulkSplitterHashMap["iTracSuperFeatureSplitterProjectID"] ;
String iTracSuperFeatureSplitterURL =bulkSplitterHashMap["iTracSuperFeatureSplitterURL"];



callMounaBulkSplitter(httpMethod: "GET", groups: ["jira-users"]) {
  MultivaluedMap queryParams, String body ->
  def user = ComponentAccessor.jiraAuthenticationContext?.loggedInUser
  def issueId = queryParams.getFirst("issueId") as Long
  Issue myissue = ComponentAccessor.getIssueManager().getIssueObject(issueId)
  def issueKey = myissue.getKey()
  def project = myissue.getProject()
  def baseUrl = ScriptRunnerImpl.getOsgiService(ApplicationProperties).getBaseUrl(UrlMode.ABSOLUTE)
  def iTracSuperFeatureSplitterURL2 = iTracSuperFeatureSplitterURL.replaceAll(":1:", issueKey)
  def iTracSuperFeatureSplitterURL3 = iTracSuperFeatureSplitterURL2.replaceAll(":2:", user.getUsername())
  def projectID = project.get("id")
  int projectIDInt = projectID as int
  if (iTracSuperFeatureSplitterProjectID == projectIDInt && iTracSuperFeatureSplitterIssueTypeID == Long.valueOf(myissue.getIssueTypeId())) {
    Response.temporaryRedirect(URI.create(iTracSuperFeatureSplitterURL3)).build()
  }

}

Solution

  • Yes, this is exact correct way as stated in ScriptRunner documentation.