Details
-
Bug
-
Resolution: Cannot Reproduce
-
Medium
-
2.10, 2.10.1, 3.0, 3.1, 3.2, 3.3
Description
When a notification is sent out for a page that includes the {jiraissues} macro, the list of issues is based on the page owner's permissions rather than the notified user's permissions.
Here are the steps to reproduce:
- Set up the trust relationship between your JIRA and Confluence installs
- Create users "user1" and "user2" on both Confluence and JIRA
- In Confluence, create a TEST space that is visible to both user1 and user2.
- Log in as user2 and watch the TEST space. While you're logged in as user2, check your email preferences and make sure your email address is valid.
- Create a JIRA project (PRIVATE, for example)
- Create 1-2 issues in the new project
- Create a "private" group in JIRA
- Add user1 to the "private" group
- Create a permission scheme for the new project in which the "private" group is allowed to do everything and no other users are allowed to do anything.
- Assign the permission scheme to the new project
- Search for open issues in the new project
- Copy the XML URL from the search
- Log out of JIRA and log in as user2. When browsing or searching, user2 should not be able to see any issues in the private project (or even know that it exists).
- Log in to Confluence as user1. Create a page using the jiraissues macro and the URL copied above
- Log in to Confluence as user2. View the page containing the jiraissues macro, which correctly indicates that there are no issues (none are visible to the user).
- Check the mail address specified for user2. The notification will display issues that are not visible to user2 in either JIRA or Confluence.
This bug is very specific to the mail notifications. All other views appear to respect user permissions.
Attachments
Issue Links
- incorporates
-
CONFSERVER-7841 Allow notifications of changes to dynamic macros in a page
- Closed