Problem Description

Any user with Browse Project permission are able to integrate JIRA to their own Slack. After the subscription, they were able to receive notifications for the following event:

1. New issue creation
2. Comment
3. Transition

Regardless of whether the issue security level is applied or not, they will still be notified on all the above events.

Steps to replicate

1. Create a project and set the issue security level to only allow internal staff or reporter to be able to view created issue.
2. Create another user called external to have browse project permission to the above project, provide application access only
3. On a slack account, install JIRA integration and run the following command:

   /jira connect <instance>.atlassian.net
   

1. Follow the Verify your JIRA account link to view the integration page
2. Subscribe for notification on the project created on step 1
3. Using different user, create a new ticket to the project
4. Comment on the ticket
5. Transition the ticket

Expected behaviour

As the user lack of the permission viewing issue creation by another user, he should not receive any notification on Slack.

Actual Behavior

External user's Slack receive notifications for all the events
Data exposed:

• For issue creation - status, issue type, issue key, summary and assignee
• For Comment - status, issue type, comment, issue key, summary and commenter
• For transition - status, issue type, issue key, summary and user that triggered the action

Proposed Solution

 Admins to allow list slack-workspace