mickmister
commented
3 years ago The Comment Visibility filter should show in the dropdown for available filters at the bottom of the subscriptions modal:
Open mickmister opened 4 years ago
mickmister
commented
3 years ago The Comment Visibility filter should show in the dropdown for available filters at the bottom of the subscriptions modal:
mickmister
commented
3 years ago It may be helpful to use the BackendSelector component introduced in https://github.com/mattermost/mattermost-plugin-jira/pull/583, to reuse code being used to introduce a new filter selector.
sanjaydemansol
commented
3 years ago Hi @mickmister, please check it out
mickmister
commented
2 years ago @sanjaydemansol Based on the discussion in the thread you linked, I think we are ok using the https://{org_name}.atlassian.net/rest/api/2/project/{project_key} route to fetch the comment visibility roles, even if the user is not a member of this role. This is because by default, the subscription would be allowing these comments to come through anyway. Does this make sense?
mickmister
commented
2 years ago @sanjaydemansol Please take a look at the RESTService method RESTGet: https://github.com/mattermost/mattermost-plugin-jira/blob/b62a305174963133cfc219a6a0a2132997f75118/server/client.go#L44
This is the method you can use to perform these API calls. Please take a look at pieces of code that are using this method
Nityanand13
commented
1 year ago @mickmister Please look at our plan for solving this issue. JIRA Issue 626 PLAN.pdf
Nityanand13
commented
1 year ago @mickmister Please look at our plan for solving this issue. JIRA Issue 626 PLAN.pdf
@mickmister I have updated this comment with the new pdf
mickmister
commented
1 year ago @Nityanand13 The document looks good to me :+1:
For the last section:
But there is a bug in the above-proposed solution:- If a user who has created a subscription is removed from the particular group which was added in the filter of Jira subscription. And now, another user creates a comment with the same visibility attribute then in that case a user who has created a subscription does not have access to that comment. So we will not get the notification of that comment but technically we should get it.
Just to be clear, this situation is:
I think the behavior for this is fine (not creating the post). I think logging a message with log level INFO is all that needs to be done.
wiersgallak
commented
1 year ago Closing issues due to inactivity. This issue can be re-opened with more interest from our community.
Summary
When creating a comment in Jira, it's possible to make it so the comment is only visible to specific groups of users. This is a security issue because a private comment could be posted to a channel that has MM users that should not see this comment. The subscriptions could support filtering on certain Jira groups.
When a comment is created/updated, the Jira plugin is notified through a webhook. The comment payload does not contain information on the comment visibility, so we need to fetch the comment during this time of processing the webhook call. This should only be done if necessary (if the subscription has a filter set up to filter on comment visibility). In order to ensure we get all possible information about the comment when we fetch it, we should use the author's access token to fetch the comment. We can use the URL in the webhook payload located at
Comment.Self:https://github.com/mattermost/mattermost-plugin-jira/blob/7c1ed9bf39e1df2806bf21dc6b42fae90845aa89/server/testdata/webhook-issue-comment-created-indentation.json#L122-L125
The subscription modal should support a new "field" to filter on,
Comment Visibility. We will need to have an option to allow/reject certain visibilities, just as the other fields work.We can fetch the available roles using Jira's project API
rest/api/2/project/{project_key}, then examine theRolesproperty of the project.