-
Suggestion
-
Resolution: Timed out
Issue Summary
The /rest/api/3/group/bulk REST API currently requires the Browse users and groups global permission. This should not be needed, since the API is not in fact usable for browsing or searching groups, just for loading names and IDs of groups that the caller already knows (either names from IDs or the other way around).
Note that the analogous /rest/api/3/user/bulk REST API correctly does not require the extra permission, only the permission to access Jira, despite returning relatively more sensitive data.
Any application that stores only IDs for privacy needs to use these APIs to be able to convert the IDs into user-readable group names on the front-end. As implemented, administrators need to grant everyone the Browse users and groups permission to use such applications, which reduces security.
Steps to Reproduce
- In Jira go to Settings -> System -> Global Permissions -> Browse users and groups
- Click delete next to non-administrator groups
- As a non-administrator make an authenticated call such as
curl --silent --user <email>:<token> --request GET --url "https://mycompany.atlassian.net/rest/api/3/group/bulk"
Expected Results
Groups names are returned.
Actual Results
You get a HTTP 403 and the response as
{"errorMessages":["Browse users and groups permission is required to view groups."],"errors":{}}
Workaround
Currently there is no known workaround for this behavior. A workaround will be added here when available