Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-23255

Shared filters are visible to anonymous users when shared with 'Everyone'

    • We collect Jira feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion.

      Atlassian Update - 2 August 2016

      Hi everyone,

      We have an update for this issue. Fundamentally, the situation as reported on this suggestion is intended functionality. Sharing a filter or dashboard with "Everyone" is intended as a way to allow users who may not have accounts in your JIRA instance the ability to see certain dashboards or filters, assuming they contain issue data that has also been shared with anonymous users. There are a number of use cases for this and we know that many customers are using JIRA this way today.

      That said, we are also very aware that the wording "Everyone" can cause significant confusion, where users do not realize the "Everyone" option means that the dashboard or filter will be visible to unauthenticated users. In certain situations, this can become a security concern. Therefore, we have recently introduced some changes in to mitigate this issue.

      New global setting

      JIRA administrators can now disable the ability to share dashboards and filters publicly via a new global setting "Public sharing". This setting is available from JIRA Admin > System > General Configuration > Edit Settings. Please note that this will not affect existing filters and dashboards. If you change this setting, you will still need to update existing filters and dashboards if they have already been shared with "Everyone."

      "Everyone" is now "Public"

      In order to more clearly emphasize the outcome of sharing a dashboard or filter will allow unauthenticated users to see it, we have renamed the "Everyone" setting to "Public" and updated the wording in the UI to be more explicity.

      New "All logged-in users" option

      We know the intent of many users who selected the "Everyone" option previously was to share the filter with everyone in their organization. We've added a new option "All logged-in users" that is a more understandable way to share a dashboard or filter with all users who have a JIRA account.

      Sharing options have been reordered

      In order to reduce the likelihood that a user would accidentally choose the "Everyone"/"Public" option without understanding the consequences, we have reordered the sharing options so that "Groups" are the first sharing option in the dropdown menu.

      These changes were released to JIRA Cloud in August 2016 and in JIRA Server 7.2.2 to address the concerns laid out in this issue; therefore, we are going to mark it as resolved.

      Thanks for your patience.

      Dave Meyer
      Senior Product Manager, JIRA

      We received complaints from one of our (external) customers saying that his name was found on the Internet via googling for his name. The hit was found via a JIRA-link on our internal JIRA-system.
      When investigating, we found that it was caused by the fact that he had shared filters with restriction "Anyone".

      This is not a logical behaviour from JIRA: we don't allow anonymous access to our JIRA, so we assume that nothing is exposed to the Internet. People may for example put information in the title of the filter that should not be exposed to others. As an administrator we don't have the possibility to block this. We can't even change the filters created by others.
      The best solution in my opinion, is to modify the "Global Permission":

      • Either create a new global permission called e.g. "Browse Filters" that an Administrator can use to block all filters.
      • Or use the JIRA-Users permissions to block such Filters.

      This issue is related to JRA-22207, JRA-17221, but these requests do not completely reduce the risk.

      Workaround

      • Change all the "Shared with the public" filters to "Shared with logged-in users"(Jira version 7.2+):
      1. Create an XML backup of the instance.
      2. Stop Jira.
      3. Run the following query on the database:
        update sharepermissions set sharetype = 'loggedin' where sharetype = 'global' and entitytype = 'SearchRequest';
        
      1. Start Jira.

      To update search results a re-index of Jira instance is also required.

            [JRASERVER-23255] Shared filters are visible to anonymous users when shared with 'Everyone'

            Tobias added a comment -

            UPDATE: After the change described above, the changes worked after a background reindex. 

            Tobias added a comment - UPDATE: After the change described above, the changes worked after a background reindex. 

            Tobias added a comment - - edited

            I raised a new support ticket, because we faced the same issue on Jira 8.20.13. Let's see what Atlassian says...

            Tobias added a comment - - edited I raised a new support ticket, because we faced the same issue on Jira 8.20.13. Let's see what Atlassian says...

            Tobias added a comment -

            Hello together,
            maybe it helps someone facing the same issue as me. I have many filters which are affected from this "bug" and therefore I was just checking if I need all this filters anymore. The result is that only a small amount of all filters is still used. Because some of you explained that the bug is not fixed by changing the shared option via SQL.

            So here is what I did.

            1. Select all filters with option "Shared with anyone on the web"
              SELECT sr.filtername,sr.id, sp.sharetype AS current_share_state, sr.username AS owner_name, sr.reqcontent AS JQL
              FROM searchrequest sr
              INNER JOIN sharepermissions sp ON sp.entityid = sr.id 
              WHERE sp.sharetype='global' and sp.entitytype ='SearchRequest'
              order by sr.filtername asc;
              
            2. Extract the IDs and check with the next query if this filters are still part of a board:
              select * from AO_60DB71_RAPIDVIEW rv
              where rv.SAVED_FILTER_ID=my-filter-id
              

            Now I can see which filters are still in use, than check these boards and see if they are still in use. If not than delete the filter. If so than ask the owner to recreate it and delete the old one. Therefore be safe that you disabled the option in the General config of your Jira instance.

            I think this should help to reduce the impact of this bug.
            Best
            Tobias

            Tobias added a comment - Hello together, maybe it helps someone facing the same issue as me. I have many filters which are affected from this "bug" and therefore I was just checking if I need all this filters anymore. The result is that only a small amount of all filters is still used. Because some of you explained that the bug is not fixed by changing the shared option via SQL. So here is what I did. Select all filters with option "Shared with anyone on the web" SELECT sr.filtername,sr.id, sp.sharetype AS current_share_state, sr.username AS owner_name, sr.reqcontent AS JQL FROM searchrequest sr INNER JOIN sharepermissions sp ON sp.entityid = sr.id WHERE sp.sharetype= ' global ' and sp.entitytype = 'SearchRequest' order by sr.filtername asc ; Extract the IDs and check with the next query if this filters are still part of a board: select * from AO_60DB71_RAPIDVIEW rv where rv.SAVED_FILTER_ID=my- filter -id Now I can see which filters are still in use, than check these boards and see if they are still in use. If not than delete the filter. If so than ask the owner to recreate it and delete the old one. Therefore be safe that you disabled the option in the General config of your Jira instance. I think this should help to reduce the impact of this bug. Best Tobias

            Is there a way to bulk update filters from everyone on an instance of 7.1.6?

            Duane Cronkite added a comment - Is there a way to bulk update filters from everyone on an instance of 7.1.6?

            Agree!

            There must be also a possibility, to bulk update existing ones. For on-prem, there are database queries available. But for cloud, it's a manual exercise.

            Filters:
            update sharepermissions set sharetype = 'loggedin' where sharetype = 'global' and entitytype = 'SearchRequest';

            Dashboards:
            update sharepermissions set sharetype = 'loggedin' where sharetype = 'global' and entitytype = 'PortalPage';

            Michael Weber added a comment - Agree! There must be also a possibility, to bulk update existing ones. For on-prem, there are database queries available. But for cloud, it's a manual exercise. Filters: update sharepermissions set sharetype = 'loggedin' where sharetype = 'global' and entitytype = 'SearchRequest'; Dashboards: update sharepermissions set sharetype = 'loggedin' where sharetype = 'global' and entitytype = 'PortalPage';

            The internet is re-discovering this misconfiguration "opportunity" https://medium.com/@logicbomb_1/one-misconfig-jira-to-leak-them-all-including-nasa-and-hundreds-of-fortune-500-companies-a70957ef03c7

            Maybe it is time to

            1. make the "Public Sharing" option default to OFF in new Jira installations, and have a think about whether a future upgrade should proactively disable it, but somehow tell Jira admins that's what's happened i.e. force admins to actively opt in.
            2. consider adding some granularity to control which users are able to use "Public" sharing options (rather than making it a pure global "OFF/ON" option

            Alfa Product Team added a comment - The internet is re-discovering this misconfiguration "opportunity" https://medium.com/@logicbomb_1/one-misconfig-jira-to-leak-them-all-including-nasa-and-hundreds-of-fortune-500-companies-a70957ef03c7 Maybe it is time to make the "Public Sharing" option default to OFF in new Jira installations, and have a think about whether a future upgrade should proactively disable it, but somehow tell Jira admins that's what's happened i.e. force admins to actively opt in. consider adding some granularity to control which users are able to use "Public" sharing options (rather than making it a pure global "OFF/ON" option

            As Isaac said above, after running the commands successfully and confirming the sharetype no longer contains any lines with global as an option when viewing the search issues screen as a user not logged in they are able to search for all filters set to everyone.

            The filter permissions must be replicated else where in the database and both locations need to be update.

            Mike Ashley added a comment - As Isaac said above, after running the commands successfully and confirming the sharetype no longer contains any lines with global as an option when viewing the search issues screen as a user not logged in they are able to search for all filters set to everyone. The filter permissions must be replicated else where in the database and both locations need to be update.

            Isaac.nl added a comment -

            FYI Although the queries seem to run fine, the filters and dashboard remain visible to the public and are still being displayed as being shared with the public. Even after Jira restart and reindex.

            Isaac.nl added a comment - FYI Although the queries seem to run fine, the filters and dashboard remain visible to the public and are still being displayed as being shared with the public. Even after Jira restart and reindex.

            Rose Cruz added a comment -

            FYI - to repair dashboards shared w/the public, use query above with  entitytype = "PortalPage".

            Rose Cruz added a comment - FYI - to repair dashboards shared w/the public, use query above with  entitytype = "PortalPage".

            mironym added a comment - - edited

            Limiting the possibility to share with Public/Everyone is important also in a setup where one JIRA instance hosts more not related projects/customers and you don't want to allow any accidental sharing of filter/dashboard names even if they are logged in...I can't imagine this scenario was not considered (when implementing the share with Everyone option in the first place).

            mironym added a comment - - edited Limiting the possibility to share with Public/Everyone is important also in a setup where one JIRA instance hosts more not related projects/customers and you don't want to allow any accidental sharing of filter/dashboard names even if they are logged in...I can't imagine this scenario was not considered (when implementing the share with Everyone option in the first place).

              Unassigned Unassigned
              325d549523fa Marc De Boeck
              Votes:
              86 Vote for this issue
              Watchers:
              118 Start watching this issue

                Created:
                Updated:
                Resolved: