Can a user only with read access edit articles via the widget?
Hello!
I am developing an application for YouTrack. The application widget uses the ARTICLE_OPTIONS_MENU_ITEM extension point. The backend.js file contains the following functionality for changing article content:
exports.httpHandler = {
endpoints: [
{
scope: 'article',
method: 'POST',
path: 'convert',
async handle(ctx) {
const body = await ctx.request.json();
const {newContent} = body;
ctx.article.content = newContent;
ctx.response.json({
success: true,
});
}
}
]
};With this functionality, users can open the Widget in an article and change the article content with a single click. This functionality works.
However, I noticed that if a user has read-only access to articles, they cannot change the content of the article through the interface, but when using the widget, the content of the article changes on their behalf.
Please advise whether this is considered a bug in YouTrack when a user cannot change the content of an article, but can do so through the widget. Should I check the user's editing access before changing the content of the article?
Please sign in to leave a comment.
Hi Uolary,
The behavior you see is expected: by design, the JavaScript API doesn't check the user permissions. So, it is indeed the app developer's responsibility to ensure the access scheme is respected.
It seems like simply defining permissions for the HTTP endpoint will help with your scenario:
Let me know if you see any issues with that though!
It's working, thank you for your help!
Thanks for the update, I'm glad to hear this helped!