Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

What kind of data is allowed to be stored in entity properties by a connect app?

Ivan Hanak
Ivan Hanak September 7, 2021

When creating a connect app, you are free to define the structure of the descriptor per the app's needs.

One of the options is also a key `jiraProjectPages` that allows to append an app link into the project sidebar.

However, you as a plugin developer might not want to display the app link on each and every one project, so you can impose conditions when it should display.

The conditions are defined here: https://developer.atlassian.com/cloud/jira/platform/connect-conditions

One of the options is to have the sidebar's app link displayed by the value of a project property.

For example:

"jiraProjectPages": [
            {
                "key": "project",
                "name": {
                    "value": "App name"
                },
                "url": "project-url",
                "conditions": [
                    {
                        "condition": "user_is_logged_in"
                    },
                    {
                        "condition": "entity_property_equal_to",
                        "params": {
                            "entity": "project",
                            "propertyKey": "app.key",
                            "objectName": "isEnabled",
                            "value": "true"
                        }
                    }
                ],
            }
        ],

 

This is a good solution. But the problem here is privacy.

Actually ANY LOGGED USER can read and update project properties. 

Snímka obrazovky 2021-09-08 o 9.00.04.png

However, if this seems to be a security problem, there is no other way how to show/hide the project sidebar link.

So even if there is a privacy risk, should such solution be used to store an information whether the app link is displayed/hidden?

Answer
Watch
Like Mehmet A _Bloompeak_ likes this
389 views

2 answers

1 accepted

0 votes
Answer accepted
Mehmet A _Bloompeak_
Mehmet A _Bloompeak_
Atlassian Partner
September 8, 2021

Hi @Ivan Hanak ,

Yes, you are right, since any logged in user can update the project entity property, there happens a security problem if any restricted data is displayed on your "project-url". If there is no extra data is displayed on your page, it is safe to use entity property only. Because the main effect of modifying the entity property will be UX only, displaying the link or not.

On the other hand, if "project-url" page displays extra data which user is not privileged to see normally, you should also store the projectKey:enabled/disabled data at your app server DB and check this DB data upon requesting "project-url" endpoint of your server code. If  data in your DB is not "projectKey:enabled", then show an error page instead.

Note: You need a new end point to update "projectKey:enabled/disabled" value on your DB and you must allow only admins to access this new url by checking user authorization using bulk permissions API on your server code.

View More Comments
Ivan Hanak
Ivan Hanak September 8, 2021

Hi team,

this is very comprehensive answer, thank you.

And what you're saying is basically what I thought to be a good solution.

Our app does not display any restricted content on that URL. The project property just decided if it should display the page.

We provide additional jwt authorization of the current user and the further contents is based on that.

So this answers the question.

Thank you again

Like
Reply
0 votes
Bill Sheboy
Bill Sheboy
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
September 8, 2021

Hi @Ivan Hanak -- Welcome to the Atlassian Community!

For a question like this about creating connected apps, you may want to consider also searching/posting in the developer community area:
https://community.developer.atlassian.com/

Kind regards,
Bill

View More Comments
Ivan Hanak
Ivan Hanak September 8, 2021

Hello Bill, I see, I should use develop forum. Thank you! Will do the next time!

Like Bill Sheboy likes this
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Terms Security
    Welcome illustration

    Welcome to the new Atlassian Community

    Online forums and learning are now in one easy-to-use experience.

    By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.