GET requesttype JSM REST operation doesn't fetch hidden request types.

Platform Notice: Data Center - This article applies to Atlassian products on the Data Center platform.

Note that this knowledge base article was created for the Data Center version of the product. Data Center knowledge base articles for non-Data Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Summary

After upgrading to JSM 5.4.x from JSM 4.x, the REST operation at Get request types is no longer fetching hidden request types as it did in JSM 4.20.10. It's unclear how this operation can be modified in JSM 5.4.x to fetch hidden request types again.

Environment

JSM 5.4.x and above

Diagnosis

  • Testing with a user who does not have an ADMINISTRATOR role for the project in version 5.4.8.

  • Here values field is empty if a user is having non-administer role.
❯ curl -su "csp:pasword" https://linux-49964.prod.atl-cd.net/jira/rest/servicedeskapi/servicedesk/2/requesttype | jq
{
  "size": 0,
  "start": 0,
  "limit": 50,
  "isLastPage": true,
  "_links": {
    "base": "https://linux-49964.prod.atl-cd.net/jira",
    "context": "/jira",
    "self": "https://linux-49964.prod.atl-cd.net/jira/rest/servicedeskapi/servicedesk/2/requesttype"
  },
  "values": []
}
  • Testing with user having ADMINISTRATOR role for project in 5.4.8.

  • Here, the values field should not be empty if the user has an ADMINISTRATOR role.

 ❯ curl -su "admin:password" https://linux-49763.prod.atl-cd.net/jira/rest/servicedeskapi/servicedesk/2/requesttype | jq
{
  "size": 1,
  "start": 0,
  "limit": 50,
  "isLastPage": true,
  "_links": {
    "base": "https://linux-49763.prod.atl-cd.net/jira",
    "context": "/jira",
    "self": "https://linux-49763.prod.atl-cd.net/jira/rest/servicedeskapi/servicedesk/2/requesttype"
  },
  "values": [
    {
      "id": "35",
      "_links": {
        "self": "https://linux-49763.prod.atl-cd.net/jira/rest/servicedeskapi/servicedesk/2/requesttype/35"
      },
      "name": "Test RT",
      "description": "",
      "helpText": "",
      "serviceDeskId": "2",
      "groupIds": [],
      "icon": {
        "id": "10532",
        "_links": {
          "iconUrls": {
            "48x48": "https://linux-49763.prod.atl-cd.net/jira/secure/viewavatar?avatarType=SD_REQTYPE&size=large&avatarId=10532",
            "24x24": "https://linux-49763.prod.atl-cd.net/jira/secure/viewavatar?avatarType=SD_REQTYPE&size=small&avatarId=10532",
            "16x16": "https://linux-49763.prod.atl-cd.net/jira/secure/viewavatar?avatarType=SD_REQTYPE&size=xsmall&avatarId=10532",
            "32x32": "https://linux-49763.prod.atl-cd.net/jira/secure/viewavatar?avatarType=SD_REQTYPE&size=medium&avatarId=10532"
          }
        }
      }
    }
  ]
}


Cause

  • A known bug was identified where hidden request types were mistakenly shown when accessing servicedeskapi/servicedesk/{serviceDeskId}/requesttype as a customer, which posed a security vulnerability. This issue has been resolved with the release of JSM 5.3.1 and newer versions of the software. For more information on this bug and its resolution, please refer to: JSDSERVER-6635
  • In earlier versions, this API used to hide the requestType which was a bug. However, in newer versions of the software, this issue has been resolved and now request-types are not visible for users without an Administrator role.

Solution

  • In JSM 5.4.x, it is working as designed and expected that hidden request types will not be present in the response of the REST operation Get request types if a non-administrator role is assigned to the project.

  • To resolve this issue, it is recommended to add the Administrator role for that specific project to the user who is invoking these requests. Once assigned with an Administrator role, the user should be able to view hidden request types without any issues.


Last modified on Feb 5, 2025

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.