Uploaded image for project: 'Jira Align'
  1. Jira Align
  2. JIRAALIGN-4708

Accessing the KeyResults endpoint via non-super user gets 403 error



    • 1
    • Severity 3 - Minor
    • No


      Issue Summary

      The KeyResults endpoint appears to be locked to the Super User role only.  One would assume that the permissions would be the same as the Objective level that the OKR is tied to.

      I've tested this with a custom (non-Super User) role that has every possible permission enabled and I still get 403 forbidden when doing a GET on one of my KeyResults, even though I can view the same OKR in the JA web UI.

      Steps to Reproduce


      1. I tested this with a Program level objective OKR, but any level should work:  Create or locate a Key Result and make sure that your current user can see it in the JA UI.
      2. Create (or use existing) non-super user level role that has every permission enabled
      3. Assign the user used in step 1 to this role and grab their API token
      4. Use the API token to make a GET call to the KeyResults API endpoint for the OKR viewed in step 1

      Expected Results

      The OKR data should be fetched with the GET request

      Actual Results

      The API request fails with a 403 Forbidden


      It is possible to make the request using a Super User level account.  That is currently the only known workaround at the moment.


        Issue Links



              csmith1@atlassian.com Cap Smith
              b9109d53fd18 Todd Hall
              4 Vote for this issue
              10 Start watching this issue



                Backbone Issue Sync