I am using some code for a REST endpoint and I want to make sure that the only users who are allowed to execute this REST endpoint are logged in and are also part of the jira-users group. I am using the following code below and more specifically the line httpMethod: "GET", groups: ["jira-users"])
to ensure that the logged in user is part of the group jira-users, is this correct or should I do it another way?
import groovy.json.JsonBuilder
import groovy.transform.BaseScript
import com.atlassian.jira.issue.Issue;
import javax.ws.rs.core.Response
import org.apache.log4j.Logger
import groovy.transform.BaseScript
import com.onresolve.scriptrunner.runner.rest.common.CustomEndpointDelegate
import javax.ws.rs.core.MultivaluedMap
import com.atlassian.jira.component.ComponentAccessor
import com.onresolve.scriptrunner.runner.ScriptRunnerImpl
import com.atlassian.sal.api.ApplicationProperties
import com.atlassian.sal.api.UrlMode
import javax.ws.rs.core.Response
import Helper
@BaseScript CustomEndpointDelegate delegate
def log = Logger.getLogger("atlassian-jira.log")
def bulkSplitterHashMap= Helper.getBulkSplitterHashMap()
int iTracSuperFeatureSplitterIssueTypeID = bulkSplitterHashMap["iTracSuperFeatureSplitterIssueTypeID"] ;
int iTracSuperFeatureSplitterProjectID = bulkSplitterHashMap["iTracSuperFeatureSplitterProjectID"] ;
String iTracSuperFeatureSplitterURL =bulkSplitterHashMap["iTracSuperFeatureSplitterURL"];
callMounaBulkSplitter(httpMethod: "GET", groups: ["jira-users"]) {
MultivaluedMap queryParams, String body ->
def user = ComponentAccessor.jiraAuthenticationContext?.loggedInUser
def issueId = queryParams.getFirst("issueId") as Long
Issue myissue = ComponentAccessor.getIssueManager().getIssueObject(issueId)
def issueKey = myissue.getKey()
def project = myissue.getProject()
def baseUrl = ScriptRunnerImpl.getOsgiService(ApplicationProperties).getBaseUrl(UrlMode.ABSOLUTE)
def iTracSuperFeatureSplitterURL2 = iTracSuperFeatureSplitterURL.replaceAll(":1:", issueKey)
def iTracSuperFeatureSplitterURL3 = iTracSuperFeatureSplitterURL2.replaceAll(":2:", user.getUsername())
def projectID = project.get("id")
int projectIDInt = projectID as int
if (iTracSuperFeatureSplitterProjectID == projectIDInt && iTracSuperFeatureSplitterIssueTypeID == Long.valueOf(myissue.getIssueTypeId())) {
Response.temporaryRedirect(URI.create(iTracSuperFeatureSplitterURL3)).build()
}
}
Yes, this is exact correct way as stated in ScriptRunner documentation.