Restrict/reduce the scope of permissions required for Gitlab integration for Smart Links to read-only (instead of read-write)

XMLWordPrintable

    • Type: Suggestion
    • Resolution: Unresolved
    • Component/s: Smart Link
    • None
    • 1

      Background

      Currently, when clicking "Connect your Gitlab account" for any Smart Links that point to a Gitlab URL, it seems to require excessive permissions for the OAuth. That requests permission to "Access the API on your behalf", which includes "complete read/write access to the API".

      The main concern from this request is that data could be potentially modified by Atlassian, intentionally or not.

      Suggestions

      According to this Gitlab document, other scopes could potentially be used for these integrations instead, like "read_api" instead of the current one (which seems to be "api").

      This suggestion asks for the review of this Smart Link implementation and potential replacement with a scope of permissions that allows only "read" for the required steps of rendering Smart Link information.

       

            Assignee:
            Unassigned
            Reporter:
            Rodrigo Bozza (Atlassian)
            Votes:
            1 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: