Uploaded image for project: 'Jira Cloud'
  1. Jira Cloud
  2. JRACLOUD-43960

Shared filters page display username of filter owners for public

    XMLWordPrintable

Details

    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

    Description

      NOTE: This suggestion is for JIRA Cloud. Using JIRA Server? See the corresponding suggestion.

      Description:

      Shared filters page shows usernames of filter owners, even for not logged users. This is not desirable since an attacker can utilize the usernames for in a brute force or dictionary attack.

      Steps to reproduce:

      1. As an unauthenticated user, run a search for any term.
      2. The results pages has a "Find Filters" link
      3. Clicking on the "Find Filters" link redirects to a page with an option for "Popular".
      4. Clicking "Popular" lists filters "Shared with all users" and the usernames of authors of those filters.

      Suggestion:

      Hide the owner of the filter when an unauthenticated user tries to search for it. Alternatively, you can consider hiding only the username of the owner and show only its complete name.

      Attachments

        Issue Links

          is related to

          Suggestion - JRASERVER-43960 Shared filters page display username of filter owners for public

          • Closed
          mentioned in

          Page Loading...

          relates to

          JDEV-37082 Loading...

          Activity

            People

              Unassigned Unassigned
              agoncalves Arthur Gonçalves (Inactive)
              Votes:
              1 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: