New and Improved 3.13 Beta. Highlights: Shareable filters and dashboards and lots of other goodies. Any feedback can be raised as JIRA issues in the JIRA project.
Issue Details (XML | Word | Printable)

Key: BAM-1944
Type: Bug Bug
Status: Resolved Resolved
Resolution: Fixed
Priority: Critical Critical
Assignee: Mark Chaimungkalanont [Atlassian]
Reporter: Ronald Spierenburg
Votes: 1
Watchers: 1
Operations

If you were logged in you would be able to see more operations.
Bamboo

Users should not be able to view plans if Global Anonymous access is disabled.

Created: 20/Nov/07 03:50 PM   Updated: 01/Apr/08 07:10 PM
Component/s: Security
Affects Version/s: 1.2.4
Fix Version/s: 2.0 beta 4, 2.0

Time Tracking:
Not Specified

Environment:
bamboo-1.2.4
crowd
Issue Links:
Reference
 

Risk Assessment: High
Internal Priority: 1. Highest
Participants: Ajay Sridhar [Atlassian], Mark Chaimungkalanont [Atlassian] and Ronald Spierenburg
Since last comment: 25 weeks, 5 days ago
Internal Work Bucket: Confirmed
Number of comments: 5
Labels:


 Description  « Hide
Situation:

I setup bamboo with the global permission 'Access' for 'Anonymous users' disabled.

However, if you create a new plan and allow access for 'Anonymous users' in specific plan, users that are not logged in can still access the project.

IMHO the plan specific permissions should not override the global permissions. We do want our developers to create new plans, but we don't want them to bother with the permissions.

 All   Comments   Work Log   Change History      Sort Order: Ascending order - Click to sort in descending order
[ Permlink | « Hide ]
Ajay Sridhar [Atlassian] added a comment - 20/Nov/07 09:04 PM - edited
Hi Ronald,

IMHO the plan specific permissions should not override the global permissions.

Sorry, this not feasible because -

  1. The permissioning requirements could be different for each plan.
  2. What you are suggesting would make the "plan specific permissioning" feature redundant - as they (plan specific permissions) get overridden by global permissions.

We do want our developers to create new plans, but we don't want them to bother with the permissions.

Perhaps a better solution would be for Bamboo to read the settings from the Global Permission configuration and suggest the same configuration while creating a new plan?

This way your developers need not worry about what permissions to set and if the need be, you (bamboo-admin) can change the plan specific permission at a later time,

Please let me know what you think?

Regards,
Ajay.


[ Permlink | « Hide ]
Ajay Sridhar [Atlassian] added a comment - 20/Nov/07 09:09 PM
Reducing the priority of the issue.

[ Permlink | « Hide ]
Ronald Spierenburg added a comment - 21/Nov/07 06:15 AM
I checked with confluence what they do there. If you don't allow global view permission to anonymous users, the space-specific permissions cannot override that.

I expect the same behavior across your entire product line.


[ Permlink | « Hide ]
Ajay Sridhar [Atlassian] added a comment - 21/Nov/07 09:59 PM
Hi Ronald,

Thank you for getting back to us.

After much deliberation, we have decided to disable Bamboo (anonymous) access altogether if the global anonymous access permission is disabled.

I have changed the title to reflect this and will update this issue once its scheduled for a fix.

Sorry for the inconvenience.

Regards,
Ajay.


[ Permlink | « Hide ]
Mark Chaimungkalanont [Atlassian] added a comment - 02/Mar/08 07:43 PM
Disabling global annonymous access now overrides the plan level settings


Powered by Atlassian JIRA the Professional Issue Tracker. (Enterprise Edition, Version: 3.13_beta1-#328) - Bug/feature request - Atlassian news - Contact Administrators