/rest/api/3/group/bulk excessively requires Browse user and groups permission

XMLWordPrintable

      Issue Summary

      The /rest/api/3/group/bulk REST API currently requires the Browse users and groups global permission. This should not be needed, since the API is not in fact usable for browsing or searching groups, just for loading names and IDs of groups that the caller already knows (either names from IDs or the other way around).

      Note that the analogous /rest/api/3/user/bulk REST API correctly does not require the extra permission, only the permission to access Jira, despite returning relatively more sensitive data.

      Any application that stores only IDs for privacy needs to use these APIs to be able to convert the IDs into user-readable group names on the front-end. As implemented, administrators need to grant everyone the Browse users and groups permission to use such applications, which reduces security.

      Steps to Reproduce

      1. In Jira go to Settings -> System -> Global Permissions -> Browse users and groups
      2. Click delete next to non-administrator groups
      3. As a non-administrator make an authenticated call such as
       curl --silent --user <email>:<token> --request GET --url "https://mycompany.atlassian.net/rest/api/3/group/bulk"

      Expected Results

      Groups names are returned.

      Actual Results

      You get a HTTP 403 and the response as

      {"errorMessages":["Browse users and groups permission is required to view groups."],"errors":{}}

      Workaround

      Currently there is no known workaround for this behavior. A workaround will be added here when available

            Assignee:
            Unassigned
            Reporter:
            James Richards
            Votes:
            2 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: