[JRACLOUD-80948] Availability to disable the 'Share issue' function

Type: Suggestion
Resolution: Unresolved
Component/s: Work Item - View (Internal developer use only)
Labels:
None

UIS:
3
Support reference count:
13
Feedback Policy:

Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

When a user shares a Jira issue with external users, 2 things happen:

The user(s) will receive an email with the title of the issue/page shared in it and a link to what is being shared.
If the user access settings allow it, and the user receiving the email has an email address that is not yet added to the site, they will also have the opportunity to add themselves to the site.

For step 2, it is possible to prevent users from self-signing through the change in the User access settings: User invites, but step 1 can't be prevented so any user can use the share function and share the issue/page name and link, even if the user receiving the email does not actually have permissions to access the link received. This could be considered a form of data leak.

The suggestion is to have the ability to entirely disable the 'Share issue' function from Issues or projects to external users.

A very similar request but for being able to disable the sharing from Software boards also exists at JSWCLOUD-26092: Allow to disable the share button on boards.

is related to

JRACLOUD-81689 Ability to Hide share filter option and share filter function should respect filter shares

Closed

relates to

JRACLOUD-28997 Share button should add a comment

Closed

JSWCLOUD-26092 Allow to disable the share button on boards

Closed

JRACLOUD-93536 Share issue user picker should only show users with permission to view the issue.

Gathering Interest

SK added a comment - 26/Jan/2023 10:30 PM - edited

This is a possible data exfiltration risk. It doesn't matter if users are internal or external. Up to 500 characters of data can be sent out using share button and to anyone in the world (any email address is allowed). Mitigations like users training is not enough to address auditing of such threats. This is not limited to confluence, even Jira has a share button.

SK added a comment - 26/Jan/2023 10:30 PM - edited This is a possible data exfiltration risk. It doesn't matter if users are internal or external. Up to 500 characters of data can be sent out using share button and to anyone in the world (any email address is allowed). Mitigations like users training is not enough to address auditing of such threats. This is not limited to confluence, even Jira has a share button.

Richard Layes added a comment - 29/May/2020 2:05 PM

More specifically, I would like to disable the ability to share a ticket from a Project to external users.

Richard Layes added a comment - 29/May/2020 2:05 PM More specifically, I would like to disable the ability to share a ticket from a Project to external users.

Assignee:: Unassigned

Reporter:: Fabian A

Votes:: 10 Vote for this issue

Watchers:: 13 Start watching this issue

Created:: 27/May/2020 10:09 PM

Updated:: 09/Jun/2025 2:10 AM

Details

Description

Attachments

Issue Links

Forms

Activity

Collapse comment: SK added a comment - 26/Jan/2023 10:30 PM, Edited by SK - 27/Jan/2023 12:44 AM

Expand comment: SK added a comment - 26/Jan/2023 10:30 PM, Edited by SK - 27/Jan/2023 12:44 AM

Collapse comment: Richard Layes added a comment - 29/May/2020 2:05 PM

Expand comment: Richard Layes added a comment - 29/May/2020 2:05 PM

People

Dates