Uploaded image for project: 'Jira Align'
  1. Jira Align
  2. JIRAALIGN-1115

[JIRAALIGN-1115] Bug: Private Portfolios can be accessed via impersonation


    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: High High
    • 10.69
    • 10.63
    • people
    • None
    • 2
    • Severity 2 - Major
    • Dementors - RHP6, Dementors - RHP9

      Issue Summary
      We recently implemented an NDA feature with impersonation in Jira Align, where if two users are not in the same portfolio, one user cannot impersonate the other.

      However, there is still a lingering issue with the implementation.

      This is related, somewhat, to https://jira.atlassian.com/browse/JIRAALIGN-927 where other holes in the implementation have been found.

      Currently users can impersonate another user as long as the two users share a private Portfolio. If, however, the user impersonates the user and the user they are impersonating has access to OTHER private portfolios that the impersonator did not, the impersonator can see those other Portfolios.

      Steps to Reproduce
      In Jira Align, impersonate a user that has access to the same portfolio as you.
      Also, ensure that the portfolios have the "Private" toggle enabled on their details via Administration -> Portfolios

      Expected Results
      While impersonating the user, the user performing the impersonation should only be able to see data that the two users have common access to, NOT that user's other Private portfolios that the two users do not have in common.

      Actual Results
      The user doing the impersonating has access to all the data that the impersonated user has access to. This includes private portfolios that the impersonating user does not have access to, otherwise.

      Per Product Management's discussion with a larger customer, this can be fixed in one of two ways:

      Option1: only allow the impersonation of users who have the same access to private portfolios. If one user has access to a private portfolio that the other does not, then they should not be able to impersonate (I don't think this is feasible, but curious to hear feedback)

      Option2: Users assigned or related to a private portfolio in any way cannot be impersonated.

      Customers have so far preferred option 2.

            idziadyk@atlassian.com Iryna Dziadyk (Inactive)
            kbaxley Kent Baxley
            1 Vote for this issue
            9 Start watching this issue