Details
-
Suggestion
-
Resolution: Won't Do
-
None
Description
NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion.
Request:
The option is labeled as allowing or denying API calls to authenticated users, but it is not made clear that this does not refer to all API calls. Please adjust the display verbiage.
Background:
REST APIs cannot be turned off and this needs to be made clear in the UI as they are essential core JIRA components that require access from client to server in order to process and feedback information from JIRA.
For example, JIRAs entire @ mention system relies solely on the REST API's, along with that all functions in greenhopper, JQL searching etc... require data to be passed to and from your browser via the APIs, turning them off would likely cease the function of the web app.
There is no inherent security risk in having the REST API open as all access control of the APIs is also the same access control held by your JIRA instance. IE: if you can see an issue via your REST APIs then you can also see if through the interface.
eg:
If I don't need to be logged in to get information from this issue in my browser:
http://localhost:8527/browse/EXM-1
I also don't need to be logged in to get this information through the REST API:
http://localhost:8527/rest/api/latest/issue/EXM-1
If I, on the other hand restricted public access to that issue, then I also would not be able to obtain JSON data about it through the APIs. The access control is one and the same.
Attachments
Issue Links
- relates to
-
JRACLOUD-31822 "Accept remote API calls" option in General Configuration does not specify that it does not affect REST in GUI
- Closed