Details
-
Bug
-
Resolution: Won't Fix
-
Low
-
None
-
2
-
Severity 3 - Minor
-
Description
Summary
When using the ScriptRunner add-on, we can create scripts to download attachments from issues. In this case, it will use the following link to get the file:
https://instance.atlassian.net/secure/attachment/<attachment_id>/<filename>
This works if run using the current user. However, if we configure the script to run that as the addon_com.onresolve.jira.groovy.groovyrunner user, it fails with a 401 Unauthorized error. Even if the user has full access to the project and issues.
We can see that even in script that first run a JQL via REST which works. So the add-on user has permission to run JQL via REST, it's just getting the attachments that fail.
Steps to Reproduce
- Create a script, say in a postfunction, using ScriptRunner to get attachment from an issue using a link like this:
https://instance.atlassian.net/secure/attachment/<attachment_id>/<filename> - First, select to run as current user
- Run it
- Then, change it to run as ScriptRunner user
- Run it again
Expected Results
Both times, the script is able to download the attachment.
Actual Results
It works when run as current user (provided the user has access to the issue), but it fails with the add-on user with this error:
2017-07-27 20:42:02.450 WARN - GET request to https://instance.atlassian.net/secure/attachment/<id>/<attachment> returned an error code: status: 401 - Unauthorized
body:
<html>
<head>
<title>Unauthorized (401)</title>
<!--[if IE]><![endif]-->
<script type="text/javascript" >
var contextPath = '';
var DeferScripts = { deferState: 'disabled' };
</script>
<script>
window.WRM=window.WRM||{};window.WRM._unparsedData=window.WRM._unparsedData||{};window.WRM._unparsedErrors=window.WRM._unparsedErrors||{};
WRM._unparsedData["com.atlassian.plugins.atlassian-plugins-webresource-plugin:context-path.context-path"]="\"\"";
WRM._unparsedData["com.atlassian.plugins.atlassian-plugins-webresource-rest:curl.cross-origin-resources"]="false";
WRM._unparsedData["jira.webresources:feature-flags.feature-flag-data"]="{\"enabled-feature-keys\":[\"com.atlassian.rm.portfolio.vertigo.AMQ\",\"com.atlassian.jira.agile.darkfeature.boardtoprojectcache.enabled\",\"ka.FLUSH_HEAD_EARLY\",\"sd.new.settings.sidebar.location\",\"jira.frother.reporter.field\",\"jira.plugin.devstatus.phasetwo\",\"statusSearchRenderer.enableFastWorkflowStatusQuery\",\"atlassian.rest.xsrf.legacy.enabled\",\"jira.attachment.vertigo.MEDIA_API_READ\",\"dvcs.connector.smartcommits.disabled\",\"com.atlassian.jira.plugins.one-click-invite-enabled\",\"jira.issue.status.lozenge\",\"unified.usermanagement\",\"jira.project.config.new.version.menu\",\"com.atlassian.jira.projects.issuenavigator\",\"com.atlassian.growth.experiments.aesJavaClient\",\"jira.plugin.devstatus.phasetwo.enabled\",\"jira.project.config.old.components.screen.disabled\",\"com.atlassian.jira.config.CoreFeatures.PERMISSIONS_MANAGED_BY_UM\",\"jira.dashboard.statistics.service.statistics_searcher.vsearch\",\"com.atlassian.jira.config.CoreFeatures.ON_DEMAND\",\"com.atlassian.jira.ULTIMATE_SEARCH_FILTERS_ON\",\"connect.no-applinks\",\"jira.attachment.vertigo.SYNCHRONOUS_UPLOAD\",\"fusion.dvcs.use_amq_to_invoke_sync.enabled\",\"jira.vertigo.big
2017-07-27 20:42:02.454 INFO - GET https://instance.atlassian.net/secure/attachment/<id>/<attachment> asString Request Duration: 424ms
2017-07-27 20:42:02.605 ERROR - Unexpected response status '401' for API 'GET
Notes
This is likely due to problem authenticating to Media API.
Workaround
Run as current user instead.