Uploaded image for project: 'Identity'
  1. Identity
  2. ID-6385

Users are able to Self-Sign Up on Instances with Self-Sign Up Deactivated

XMLWordPrintable

      Summary

      Users are able to Self-Sign Up on Instances with Self-Sign Up Deactivated

      Description

      Administrators are receiving notifications for new users requesting access on instances with Self-Sign Up deactivated.
      It also seems to be affecting instances with "Any account with one of the following email address domains can sign up" - Instead of filtering requests from that domain only, it lets anyone from any domain to sign up.

      Steps to Reproduce

      1. On an instance, disable the "Self Sign Up""
      2. Access the instance from another account - which doesn't have access to that instance

      Expected Results

      You should get a message stating that you don't have access to that site.

      Actual Results

      You see the button "Request Access" and by clicking on it, all administrators get a message stating that you've requested access.

        1. image-2017-07-13-11-55-36-508.png
          52 kB
          Lucas Lara Martins

            [ID-6385] Users are able to Self-Sign Up on Instances with Self-Sign Up Deactivated

            Kieren (Inactive) added a comment -

            Hi Everyone,

            With Stride being shut down last month and the old request access feature being removed, there should no longer be any possibility of this bug occurring again, so I'm closing this ticket.

            What about the new Request Access feature?

            A new Request Access feature was rolled out in November 2018 (read more about it here). This feature allows users to contact their site admins when they need access to a new product, or if they need someone else to access a product. In summary:

            1. If one of your users has access to 1 product (Jira), and they'd like to get access to one of your other existing products (confluence), then they can request access to it. An email will be sent to all the Site Admins, along the lines of "James Barker already has access to Jira, and would like to access Confluence...". Any site admin can approve or deny this request.
            2. Your existing users can request access for someone who is not currently on your site. A common example of this is when a new staff member starts at a company, but they don't have access to Jira or Confluence, any user can request access for the new staff member and inform their site admin(s). An email will be sent to all the Site Admins, along the lines of "James Barker would like sue.ellen@acme.com to access Confluence...". Any site admin can approve or deny this request.

            There is a ticket to improve the Request Access feature here https://jira.atlassian.com/browse/ID-6682. Please comment on it with any suggestions for improvements.

            Kieren (Inactive) added a comment - Hi Everyone, With Stride being shut down last month and the old request access feature being removed, there should no longer be any possibility of this bug occurring again, so I'm closing this ticket. What about the new Request Access feature? A new Request Access feature was rolled out in November 2018 ( read more about it here ). This feature allows users to contact their site admins when they need access to a new product, or if they need someone else to access a product. In summary: If one of your users has access to 1 product (Jira), and they'd like to get access to one of your other existing products (confluence), then they can request access to it. An email will be sent to all the Site Admins, along the lines of "James Barker already has access to Jira, and would like to access Confluence...". Any site admin can approve or deny this request. Your existing users can request access for someone who is not currently on your site. A common example of this is when a new staff member starts at a company, but they don't have access to Jira or Confluence, any user can request access for the new staff member and inform their site admin(s). An email will be sent to all the Site Admins, along the lines of "James Barker would like sue.ellen@acme.com  to access Confluence...". Any site admin can approve or deny this request. There is a ticket to improve the Request Access feature here https://jira.atlassian.com/browse/ID-6682 . Please comment on it with any suggestions for improvements.

            Lele (Inactive) added a comment -

            https://getsupport.atlassian.com/browse/JST-435017

            Lele (Inactive) added a comment - https://getsupport.atlassian.com/browse/JST-435017

            Jeff Tillett added a comment -

            jbatchelor, we got one of these on November 30th for our domain of singularity.jira.com for a user with an email of quentinmousset@gmail.com

            This is definitely still a problem.

            Jeff Tillett added a comment - jbatchelor , we got one of these on November 30th for our domain of singularity.jira.com for a user with an email of quentinmousset@gmail.com This is definitely still a problem.

            Joshua Batchelor (Inactive) added a comment -

            Hey natsuhiko.suzuki1844695160,

            That's quite unusual, the feature for requesting access was turned off in mid July so I'd be very surprised if someone had requested access to your site since then. My best guess is that someone requested access to the site months ago and you're just seeing the notification for it just now? Is it possible that you haven't used site-admin in a few months and the request has been pending since July?

            If that's not the case and you're sure the request for access was very recent, could I get you to raise a support ticket and in it link to this public ticket and ask the person on support to escalate directly to me and I'll chat to you on that ticket about your site.

            Cheers,
            Josh

            Joshua Batchelor (Inactive) added a comment - Hey natsuhiko.suzuki1844695160 , That's quite unusual, the feature for requesting access was turned off in mid July so I'd be very surprised if someone had requested access to your site since then. My best guess is that someone requested access to the site months ago and you're just seeing the notification for it just now? Is it possible that you haven't used site-admin in a few months and the request has been pending since July? If that's not the case and you're sure the request for access was very recent, could I get you to raise a support ticket and in it link to this public ticket and ask the person on support to escalate directly to me and I'll chat to you on that ticket about your site. Cheers, Josh

            natsuhiko.suzuki added a comment -

            Our site still has same symptom.

            natsuhiko.suzuki added a comment - Our site still has same symptom.

            Bruno Miretti added a comment - - edited

            Hi Helen,

            are you sure this is now solved ? I just tried on my site and I can still self sign up whereas the "No account can self signup" button is checked.

            Edit: please forget this. I've seen in fact anyone can still create an account but we are not notified if someone does it if the button is checked.

            Bruno Miretti added a comment - - edited Hi Helen, are you sure this is now solved ? I just tried on my site and I can still self sign up whereas the "No account can self signup" button is checked. Edit: please forget this. I've seen in fact anyone can still create an account but we are not notified if someone does it if the button is checked.

            Helen (Inactive) added a comment -

            Hi everyone,

            Thank you for reaching out to us. Unfortunately we released the 'Request Access' feature early by accident and introduced this bug to your instances. The rollback for this button was deployed on July the 14th. There should not be any instances in production who will be able to see this button. We are very sorry for the inconvenience caused.

             

            Please let us know if you're still experiencing problems with this.

            Kind regards,

            Helen Xue

            Product Management Team - Atlassian

            Helen (Inactive) added a comment - Hi everyone, Thank you for reaching out to us. Unfortunately we released the 'Request Access' feature early by accident and introduced this bug to your instances. The rollback for this button was deployed on July the 14th. There should not be any instances in production who will be able to see this button. We are very sorry for the inconvenience caused.   Please let us know if you're still experiencing problems with this. Kind regards, Helen Xue Product Management Team - Atlassian

            Lauren Shanta added a comment -

            We've experienced the same thing. One of our Service Desk Only accounts found the 'request access' button for our primary instance (even though that feature was set to inactive). I declined their request, but they were auto-added to our instance and migrated into full JIRA user status, giving them access to all of our proprietary information. While I had space level access restrictions, in theory this is a HUGE problem from a privacy and security standpoint. I agree that this bug should be higher priority! -L

            Lauren Shanta added a comment - We've experienced the same thing. One of our Service Desk Only accounts found the 'request access' button for our primary instance (even though that feature was set to inactive). I declined their request, but they were auto-added to our instance and migrated into full JIRA user status, giving them access to all of our proprietary information. While I had space level access restrictions, in theory this is a HUGE problem from a privacy and security standpoint. I agree that this bug should be higher priority! -L

            Benjamin Mullaney added a comment -

            We have also noticed these pending users are being placed in default JIRA groups without being approved. In the case where a 3rd party application uses a default group a non permitted user is able to access the data aka a breach.

             

            Can someone else confirm this behaviour? the priority needs to be increased if this is the case.

            Benjamin Mullaney added a comment - We have also noticed these pending users are being placed in default JIRA groups without being approved. In the case where a 3rd party application uses a default group a non permitted user is able to access the data aka a breach.   Can someone else confirm this behaviour? the priority needs to be increased if this is the case.

            Jeff Tillett added a comment - - edited

            This has the potential for a malicious user to sign up, and a well meaning admin to approve thinking they are helping another admin, only to lead to very bad things for organizations.

             

            All of our production code is visible through searches in our JIRA, and this is a CRITICAL bug for us due to security concerns. Please raise priority. Atlassian introduced this bug only recently, and they need to fix asap.

            Jeff Tillett added a comment - - edited This has the potential for a malicious user to sign up, and a well meaning admin to approve thinking they are helping another admin, only to lead to very bad things for organizations.   All of our production code is visible through searches in our JIRA, and this is a CRITICAL bug for us due to security concerns. Please raise priority. Atlassian introduced this bug only recently, and they need to fix asap.

              Unassigned Unassigned
              lmartins Lucas Lara Martins
              Affected customers:
              26 This affects my team
              Watchers:
              57 Start watching this issue

                Created:
                Updated:
                Resolved: