Details
-
Bug
-
Resolution: Not a bug
-
High
-
Severity 2 - Major
-
Description
Based on further investigation we have concluded that this is not a privacy issue.
We are not leaking any photos of other users. Their privacy settings are being properly respected.
The difference between confluence and Jira lies in how we return URLs for the photos. Confluence returns a URL back to the user within our own system, which then gets called to fetch the photo, behind the scenes we then call the avatar management service to get the user's photo and return this URL to the browser for it to be rendered. JIRA directly returns this URL for the avatar management service.
The difference is then in the fact that Jira hardcodes these URLs into the response, and since to GET the user data it was the APP making the request, the profile photo is also assumed to be the APP calling it, and thus the APP shouldn't have access.
In confluence, we return a URL that then gets evaluated in our system and turned into a redirect. The difference is this URL in our system gets called at page display time from the BROWSER itself (as the logged-in user).
Issue Summary
According to the Profile Visibility documentation page for app developers:
- Avatar shows a masked avatar (the user's initials) rather than the profile picture, if it is restricted.
This is working as documented in connect apps for Jira Cloud, while the user profile picture is always displayed in Confluence Cloud connect apps, even when this is actually restricted in the profile visibility settings for the user.
Steps to Reproduce
- Update your Profile Visibility settings so that the profile picture is only visible to you (or only to you and the organization)
- Install Whiteboards for Jira: team collaboration
- Create a new board, in the upper right corner see that your initials are displayed as the user avatar instead of the Profile Picture:
- Now repeat the same test using the Confluence app Whiteboards: collaborative flows and diagrams in Confluence
Expected Results
As in Jira, your initials are displayed as the user avatar instead of the Profile Picture
Actual Results
The profile picture is displayed:
Workaround
Currently there is no known workaround for this behavior. A workaround will be added here when available
Attachments
Issue Links
- has a derivative of
-
ECO-29 Connect apps for Jira always show masked avatars (the user's initials) while the the visibility settings are respected in apps for Confluence
- Gathering Impact
- relates to
-
JRACLOUD-76911 Apps should be allowed to access restricted user profile information if the user provided consent
- Gathering Interest
- is derived by
-
BYND-208 Loading...
- is resolved by
-
HOT-98126 Loading...
- mentioned in
-
Page Loading...