[#JRA-13356] Cannot create issue through SOAP remote API if issue-level security is on

JIRA

Cannot create issue through SOAP remote API if issue-level security is on

Created: 17/Aug/07 05:54 AM Updated: 29/Jul/08 11:37 PM

Component/s:

Remote API (SOAP & XML-RPC)

Affects Version/s:

3.10.1

Fix Version/s:

3.13

Time Tracking:

Original Estimate:

1 day, 4 hours

Remaining Estimate:

0 minutes

Time Spent:

1 day, 2 hours

Issue Links:

Cloners

This issue was cloned as:

~~JRA-15311~~ Create RemoteSecurityLevel for SOAP API

Participants:	Chris Kohlhardt, Dushan Hanuska [Atlassian], Igor Sereda, Jed Wesley-Smith [Atlassian], Jeremy Lingmann, Mehmet Milci, Reid Sayre and Uwe Voellger
Since last comment:	25 weeks ago
Resolution Date:	28/Jul/08 10:31 PM
To be done by:	Single developer
Labels:

Description

« Hide

If a project has issue-level security scheme assigned, and a user has set-security-level permission, security level is required to create an issue. This makes it impossible to create an issue through SOAP, because RemoteIssue doesn't provide such field.

More specifically:
a) if I try to create an issue as usual, I get an error saying "security level is required".
b) any ways to pass security level to the server fail, including specifying custom field of name "security" or specifying <security> tag in the SOAP request.

Interestingly, I can change security level through SOAP's updateIssue request because it doesn't use RemoteIssue.

All

Comments

Work Log

Change History

Sort Order:

[ Permlink | « Hide ]

Igor Sereda added a comment - 20/Aug/07 04:08 AM

If I may suggest, you can add another method createIssue2(), which would take the parameters in the same form updateIssue() does – just pairs (fieldname, string_value[]). This method would be more flexible and allow easier extension in the future, probably would be more neat to implement. If, on the other hand, you expand RemoteIssue structure, this may cause incompatibilities with existing remote API clients. You will also need to introduce RemoteSecurityLevel to keep things consistent. And I'm not sure all this structureness in remote API is really needed.

Thanks!
Igor

[ Permlink | « Hide ]

Jeremy Lingmann added a comment - 07/Sep/07 04:24 AM

Seems to me like this should be resolved by updating the Enterprise Jira SOAP API so that users can create an issue with the security level set. This is one of the main Enterprise features we use and I was pretty disappointed to find out the SOAP API doesn't support creating issues with a security level set...

[ Permlink | « Hide ]

Uwe Voellger added a comment - 27/Sep/07 02:27 AM

Same to me: importing a lot of issues from our current tracking system requires the possibility to set issue security level during issue creation.

[ Permlink | « Hide ]

Mehmet Milci added a comment - 27/Sep/07 02:48 AM - edited

it's only a work around but
you can set security level with a listener like this:

SetSecurityLevelListener.java

package tr.com.yurticikargo.jira.securitylevel;

import com.atlassian.jira.ManagerFactory;
import com.atlassian.jira.event.issue.AbstractIssueEventListener;
import com.atlassian.jira.event.issue.IssueEvent;
import com.atlassian.jira.event.issue.IssueEventListener;
import com.atlassian.jira.issue.MutableIssue;
import com.atlassian.jira.issue.security.IssueSecurityLevelManager;

import com.opensymphony.user.User;

import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.Map;

import org.ofbiz.core.entity.GenericValue;


public class SetSecurityLevelListener extends AbstractIssueEventListener implements IssueEventListener
{

	private final IssueSecurityLevelManager issueSecurityLevelManager = ManagerFactory.getIssueSecurityLevelManager(); 
  private final String SECURTY_LEVEL_PREFIX = "Securty Level Name Prefix (Default #)";
  private final String PROJECTS_TO_SET = "Project Keys (Enter project keys with (;) without space; Null for All Projects)";
	
	private String projectsToSet;
	private String securtyLevelPrefix;
	
  public void init(Map params)
  {
    projectsToSet = null;
    if (params.containsKey(PROJECTS_TO_SET )){
      projectsToSet = (String)params.get(PROJECTS_TO_SET)+";";
    }
    securtyLevelPrefix = "#";
    if (params.containsKey(SECURTY_LEVEL_PREFIX )){
      securtyLevelPrefix= (String)params.get(SECURTY_LEVEL_PREFIX);
    }
  }
    
  public String[] getAcceptedParams()
  {
    return new String[]{PROJECTS_TO_SET, SECURTY_LEVEL_PREFIX};
  }

  public void issueCreated(IssueEvent event) {
		MutableIssue issue = (MutableIssue)event.getIssue();
    if (projectsToSet !=null && projectsToSet.indexOf(issue.getProjectObject().getKey()+";")<0) 
    {
      return;
    }
		User reporter = issue.getReporter();
		List reporterGroups = reporter.getGroups();
		try {
			Collection issueSecurityLevels = issueSecurityLevelManager.getUsersSecurityLevels(issue.getGenericValue(), reporter);
      groups:
			for (Iterator iterator = reporterGroups.iterator(); iterator.hasNext();) {
				String groupName = (String) iterator.next();
				for (Iterator iterator1 = issueSecurityLevels.iterator(); iterator1.hasNext();) {
					GenericValue securityLevel = (GenericValue) iterator1.next();
					String s = securityLevel.getString("name");
					if (s.startsWith(securtyLevelPrefix) && s.subSequence(1, s.length()).equals(groupName)) {
						issue.setSecurityLevel(securityLevel);
						issue.store();
						break groups;
					}
				}
			}
		} catch (Exception e) {
			e.printStackTrace();
		}
		return;
  }

  public boolean isInternal()
  {
    return false;
  }

  public boolean isUnique()
  {
    return false;
  }

  public String getDescription()
  {
    return "It sets the issue security level based on one group the reporter is member of.<br>The group and security level have both the same name and in order to make this work as we expect, the user cannot be member of more than one group that has the same name of a security level.";
  }

}

[ Show » ]

Mehmet Milci added a comment - 27/Sep/07 02:48 AM - edited it's only a work around but you can set security level with a listener like this:

SetSecurityLevelListener.java

package tr.com.yurticikargo.jira.securitylevel;

import com.atlassian.jira.ManagerFactory;
import com.atlassian.jira.event.issue.AbstractIssueEventListener;
import com.atlassian.jira.event.issue.IssueEvent;
import com.atlassian.jira.event.issue.IssueEventListener;
import com.atlassian.jira.issue.MutableIssue;
import com.atlassian.jira.issue.security.IssueSecurityLevelManager;

import com.opensymphony.user.User;

import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.Map;

import org.ofbiz.core.entity.GenericValue;


public class SetSecurityLevelListener extends AbstractIssueEventListener implements IssueEventListener
{

	private final IssueSecurityLevelManager issueSecurityLevelManager = ManagerFactory.getIssueSecurityLevelManager(); 
  private final String SECURTY_LEVEL_PREFIX = "Securty Level Name Prefix (Default #)";
  private final String PROJECTS_TO_SET = "Project Keys (Enter project keys with (;) without space; Null for All Projects)";
	
	private String projectsToSet;
	private String securtyLevelPrefix;
	
  public void init(Map params)
  {
    projectsToSet = null;
    if (params.containsKey(PROJECTS_TO_SET )){
      projectsToSet = (String)params.get(PROJECTS_TO_SET)+";";
    }
    securtyLevelPrefix = "#";
    if (params.containsKey(SECURTY_LEVEL_PREFIX )){
      securtyLevelPrefix= (String)params.get(SECURTY_LEVEL_PREFIX);
    }
  }
    
  public String[] getAcceptedParams()
  {
    return new String[]{PROJECTS_TO_SET, SECURTY_LEVEL_PREFIX};
  }

  public void issueCreated(IssueEvent event) {
		MutableIssue issue = (MutableIssue)event.getIssue();
    if (projectsToSet !=null && projectsToSet.indexOf(issue.getProjectObject().getKey()+";")<0) 
    {
      return;
    }
		User reporter = issue.getReporter();
		List reporterGroups = reporter.getGroups();
		try {
			Collection issueSecurityLevels = issueSecurityLevelManager.getUsersSecurityLevels(issue.getGenericValue(), reporter);
      groups:
			for (Iterator iterator = reporterGroups.iterator(); iterator.hasNext();) {
				String groupName = (String) iterator.next();
				for (Iterator iterator1 = issueSecurityLevels.iterator(); iterator1.hasNext();) {
					GenericValue securityLevel = (GenericValue) iterator1.next();
					String s = securityLevel.getString("name");
					if (s.startsWith(securtyLevelPrefix) && s.subSequence(1, s.length()).equals(groupName)) {
						issue.setSecurityLevel(securityLevel);
						issue.store();
						break groups;
					}
				}
			}
		} catch (Exception e) {
			e.printStackTrace();
		}
		return;
  }

  public boolean isInternal()
  {
    return false;
  }

  public boolean isUnique()
  {
    return false;
  }

  public String getDescription()
  {
    return "It sets the issue security level based on one group the reporter is member of.<br>The group and security level have both the same name and in order to make this work as we expect, the user cannot be member of more than one group that has the same name of a security level.";
  }

}

[ Permlink | « Hide ]

Uwe Voellger added a comment - 27/Sep/07 03:00 AM

Thanks for this proposal.
Unfortunately this does not work since the limitations listed in the description are not fullfilled.

[ Permlink | « Hide ]

Jed Wesley-Smith [Atlassian] added a comment - 06/Dec/07 08:00 PM

The fix for this issue has not been able to make it into JIRA v3.12. We are hoping to incorporate it into v3.12.1. As of writing however, there are 163 items scheduled as Fix For v3.12.1. We will not be able to include all of them.

[ Permlink | « Hide ]

Chris Kohlhardt added a comment - 27/Dec/07 09:25 PM - edited

While not ideal, I was able to work around this issue by doing HTTP requests.

Here is a php example:

curl = curl_init();
$loginUrl = "http://localhost/login.jsp?os_username=" . $soapUsername . "&os
_password=" . $soapPassword . "&os_cookie=true";;
curl_setopt($curl,CURLOPT_URL, $loginUrl );
curl_setopt($curl,CURLOPT_POST, true );
curl_setopt($curl,CURLOPT_COOKIEFILE, '/tmp/cookie' );
curl_setopt($curl,CURLOPT_COOKIEJAR, '/tmp/cookiejar' );
curl_setopt($curl,CURLOPT_RETURNTRANSFER, true );
curl_setopt($curl,CURLOPT_FOLLOWLOCATION, false );
curl_setopt($curl,CURLOPT_NOBODY, true );         
curl_setopt($curl,CURLOPT_MUTE,true );
curl_exec( $curl );

curl_setopt($curl,CURLOPT_RETURNTRANSFER, false );
curl_setopt($curl,CURLOPT_URL, "http://localhost/secure/CreateIssueDetails.j
spa?pid=12345&issuetype=1&summary=foo&assignee=" . $project->lead . "&reporter=" .
 $soapUsername . "&security=10003" ); 
curl_exec( $curl );
curl_close( $curl );

[ Permlink | « Hide ]

Reid Sayre added a comment - 05/Mar/08 01:00 PM

Please fix this at the earliest opportunity. We really need it (and we are getting ready to decide if we want to renew JIRA).

At the very least do this:

When creating an issue in the web interface, if there is a default security level set, that is preset in the field on the web page. Even if security is "required," if there is a default, the user doesn't actually have to do anything.
Add the function that when creating an issue via the SOAP interface, if there is a default security level specified for the project, pick that up and use it without the SOAP programmer having to do anything.
This should be a simple thing to do and does not require an interface change. Just do the right thing.