Issue Summary

If a user restricts the visibility to any of the profile information (e.g. timezone), apps don't have access to such informations.

This limits the ability for apps to provide the functionalities required by the users.

Suggested solution

User have the option to provide consent to apps to access the user profile information. If the consent is not given, apps are provided a mechanism to understand if the information for that user profile is restricted.

Notes about the current behaviour

The current behaviour is described on the https://developer.atlassian.com/cloud/jira/platform/profile-visibility/ documentation for Jira.

This applies to cases where the profile information is restricted in either of the two ways: Organization and Only you

Difference between calling the same REST API from the browser or from an app

This behaviour only applies to requests done by apps. Requests done directly from the browser (e.g. for a GET when the user is entering the URL in the browser address bar) or via curl without the header below are not affected.
The difference is that, for a connect app, the request is performed with the additional 'ap-client-key: {existing_and_installed_app_key}' header. When this header is present, the profile visibility rules applied to apps will restrict the visibility of the profile information.