Limit the development panel functionality and information visibility based on the external applications' permissions.

XMLWordPrintable

    • 5
    • 11

      Issue Summary

      Users with access to the development panel can both create branches in repositories where they might have no access and access sensitive data from external applications they don't have access to.

      Real example:

      • An instance with an integration between Jira Software and GitHub.
      • A Jira issue containing data from a Github repository, such as the repository, branch, and pull request name.
      • Any user with access to the development panel would have access to that sensitive data, even without access to the Github repository.
      • Additionally, any user with access to the development panel can also create branches under repositories they have no access to.

      Steps to Reproduce

      1. Integrate Jira Software with Github Cloud.
      2. Integrate a Jira Software project with a GitHub repository.
      3. Create a Jira issue on this Jira Software project.
      4. Make a pull request mentioning the Jira issue created in the previous step in a way that makes the pull request data available at the Jira issue development panel.
      5. Create a Jira user with access to the project and the development panel but without access to the Github repository.
      6. Impersonate this user.
      7. Open the Jira issue that contains the pull request data in its development panel.
      8. Try creating a branch on any repository where the user created on step 5 has no access.

      Expected Results

      In step 7, the user's access to the development panel data will be restricted based on his access to the external application integrated with Jira Software.
      Suppose the Jira issue contains data from multiple repositories or development tools. In that case, the user's access will be restricted to his permissions from the external source from which Jira gets this data.

      In step 8, the user should also not be able to select a repository they don't have access to, to create the branch.

      Actual Results

      In step 7, the user without access to the Github repository will have access to the pull request information through the development panel, even without access to Github.

      This means users with access to the development panel can see information from any source, including those they should not have access to.

      In step 8, the user is able to create a branch in a repository they don't have access to. Once the branch is created, since the user has no access on the repository, if they click to see the branch in GitHub directly, they get an error message mentioning they don't have access to the repo.

      Suggestions

      • The best solution might be for the integration to act on behalf of the user. That way, the integration would only be able to access what the user is able to access.
      • A different option might be to limit the number of repos to the previously configured list of potential repos for a dedicated Jira project. That way, the admins can specify which repos are mapped to which project and the users won't be able to accidentally create branches in repos that they don't have access to.

      Workaround

      No known workaround is available.

              Assignee:
              Unassigned
              Reporter:
              Adalberto Schneider
              Votes:
              11 Vote for this issue
              Watchers:
              12 Start watching this issue

                Created:
                Updated: