-
Bug
-
Resolution: Won't Fix
-
Medium
-
18
-
Severity 2 - Major
-
NOTE: This bug report is for JIRA Cloud. Using JIRA Server? See the corresponding bug report.
Hi everyone,
We have reviewed the status of this issue and there are not currently plans to fix this bug in Jira Cloud. Extensive analysis over the last couple years has indicated that the complexity of addressing this bug without causing performance degradation for customers using permission schemes with user custom field grants is significant. Based on the number of customers that have actually been affected, we cannot justify the effort required to address it at this time.
Thanks for your understanding.
Regards,
Dave Meyer
Senior Product Manager, Jira Cloud
If in your permission schema, you grant Browse Project permission to "User Custom Field Value", the project is visible to all users. Regardless of whether that field is filled or not.
JRA-31720 fixed that for the current assignee - i had hoped this would work for custom fields too.
- is cloned from
-
-
- Closed
-
- was cloned as
-
JRACLOUD-75053 Grant "Browse Project" permission to "User Custom Field Value" makes project visible to all users
- Gathering Interest
[JRACLOUD-37117] Grant "Browse Project" permission to "User Custom Field Value" makes project visible to all users
| Labels | Original: affects-cloud affects-server jira-ninjas-explore jira-run no-cvss-required st10 | New: affects-cloud affects-server jira-ninjas-explore jira-run jsw-s2 no-cvss-required st10 |
dmeyer, Why is this closed as "won't fix" when there seems to be a duplicate that is "In progress" (JRACLOUD-75053)?
Also, "interestingly" enough, JRACLOUD-75053 is in progress, but does not have any assignee.
Hello Guys!
We have same problem here.
It's critical security breach, and we need some update about that.
Can you guys open again this feature?!
According to this comment from the server equivalent of this bug belive this bug needs to be reopened and addressed.
If the same apply to cloud (that achieved projects using this feature can be exposed) you we have an more severe issue.
And the status update is just scary. What You are basically stating is "We wont address security issues that are complex to fix". Seriously???
Please reopen and add the "security" label to this issue.
| Link | New: This issue was cloned as JRACLOUD-75053 [ JRACLOUD-75053 ] |
| Workflow | Original: JIRA Bug Workflow w Kanban v6 - Restricted [ 1869406 ] | New: JAC Bug Workflow v3 [ 3361417 ] |
| Status | Original: Resolved [ 5 ] | New: Closed [ 6 ] |
| Description |
Original:
{panel:bgColor=#e7f4fa}
*NOTE:* This bug report is for *JIRA Cloud*. Using *JIRA Server*? [See the corresponding bug report|http://jira.atlassian.com/browse/JRASERVER-37117]. {panel} {panel:title=Status Update|borderStyle=solid|borderColor=#ff7f7f|titleBGColor=#ff7f7f|bgColor=#e5e5e5} Hi everyone, We have reviewed the status of this issue and there are not currently plans to fix this bug in *Jira Cloud*. Extensive analysis over the last couple years has indicated that the complexity of addressing this bug without causing performance degradation for customers using permission schemes with user custom field grants is significant. Based on the number of customers that have actually been affected, we cannot justify the effort required to address it at this time. Thanks for your understanding. Regards, Dave Meyer Senior Product Manager, Jira Cloud {panel} If in your permission schema, you grant _Browse Project_ permission to _"User Custom Field Value"_, the project is visible to all users. Regardless of whether that field is filled or not. JRA-31720 fixed that for the current assignee - i had hoped this would work for custom fields too. |
New:
{panel:bgColor=#e7f4fa}
*NOTE:* This bug report is for *JIRA Cloud*. Using *JIRA Server*? [See the corresponding bug report|http://jira.atlassian.com/browse/JRASERVER-37117]. {panel} {panel:title=Status Update|borderStyle=solid|borderColor=#ff7f7f|titleBGColor=#ff7f7f|bgColor=#e5e5e5} Hi everyone, We have reviewed the status of this issue and there are not currently plans to fix this bug in *Jira Cloud*. Extensive analysis over the last couple years has indicated that the complexity of addressing this bug without causing performance degradation for customers using permission schemes with user custom field grants is significant. Based on the number of customers that have actually been affected, we cannot justify the effort required to address it at this time. Thanks for your understanding. Regards, Dave Meyer Senior Product Manager, Jira Cloud {panel} If in your permission schema, you grant _Browse Project_ permission to _"User Custom Field Value"_, the project is visible to all users. Regardless of whether that field is filled or not. JRA-31720 fixed that for the current assignee - i had hoped this would work for custom fields too. |
| Component/s | New: Project Administration - Issue type, fields and Other [ 53196 ] | |
| Component/s | Original: Project Administration [ 46539 ] |
| Resolution | New: Won't Fix [ 2 ] | |
| Status | Original: Verified [ 10005 ] | New: Resolved [ 5 ] |
Its really depressing that You choose not to fix a security bug, where users un-intentionally via the nomal (out of the box) interface can create a mis-configuration that makes a project visible to all users. I do think that is a violation of "Dont F*ck the customer"....
And stating "Based on the number of customers that have actually been affected, " - its that countlable, or are you basing this on the number of bug reports from users that are aware of the problem...