Anonymous users can reach Jira system filter endpoints

XMLWordPrintable

    • 1
    • Severity 3 - Minor
    • 0

      Issue Summary

      Anonymous users are able to reach the /issues/?filter=-<id> for sites without authenticating to access the page.

      Steps to Reproduce

      1. In an incognito window, access the URL of a site's All issues filter (sitename.atlassian.net/issues/?filter=-4)
      2. Note that, while issues should not appear unless the Browse issue permission is set for public access, the page is still visible/reachable

      Expected Results

      A window containing an inaccessible message should be displayed, similar to browsing to /jira/filters for a given site:

      Actual Results

      The page loads and includes links for other system filters, but doesn't explicitly deny users from accessing the page:

      Workaround

      Currently there is no known workaround for this behavior. A workaround will be added here when available

        1. image-2022-12-15-14-06-07-668.png
          image-2022-12-15-14-06-07-668.png
          62 kB
        2. image-2022-12-15-14-05-15-253.png
          image-2022-12-15-14-05-15-253.png
          41 kB

            Assignee:
            Unassigned
            Reporter:
            Donald Wright
            Votes:
            1 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: