Details
-
Bug
-
Resolution: Obsolete
-
Low
-
None
-
None
Description
NOTE: This bug report is for JIRA Cloud. Using JIRA Server? See the corresponding bug report.
It looks like the update behavior is that only licensed users will be listed with the mention, but this doesn't take the limit far enough. Users who don't have permissions to a project shouldn't be available for mentions in the context of that project. For us this is a security issue, for most, this is still bad UI. It'll only create confusion and concern from a security perspective (The inevitable question will be does this person have access to our project? Why do they show up here?). This also creates the possibility of leaking sensitive client information. We're a hosting multiple clients with this application and it would allow them to search for each other, which is a problem for us.
Attachments
Issue Links
- is cloned from
-
BSERV-7242 Limit @ mention list to authorized users
- Gathering Interest
- is related to
-
JRASERVER-43750 Limit @ mention list to authorized users
- Closed