-
Suggestion
-
Resolution: Fixed
-
JIRA 4.2 standalone running on the Tomcat server.
NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion.
Hi everyone,
We have an update for this issue. Fundamentally, the situation as reported on this suggestion is intended functionality. Sharing a filter or dashboard with "Everyone" is intended as a way to allow users who may not have accounts in your JIRA instance the ability to see certain dashboards or filters, assuming they contain issue data that has also been shared with anonymous users. There are a number of use cases for this and we know that many customers are using JIRA this way today.
That said, we are also very aware that the wording "Everyone" can cause significant confusion, where users do not realize the "Everyone" option means that the dashboard or filter will be visible to unauthenticated users. In certain situations, this can become a security concern. Therefore, we have recently introduced some changes in to mitigate this issue.
New global setting
JIRA administrators can now disable the ability to share dashboards and filters publicly via a new global setting "Public sharing". This setting is available from JIRA Admin > System > General Configuration > Edit Settings. Please note that this will not affect existing filters and dashboards. If you change this setting, you will still need to update existing filters and dashboards if they have already been shared with "Everyone."
"Everyone" is now "Public"
In order to more clearly emphasize the outcome of sharing a dashboard or filter will allow unauthenticated users to see it, we have renamed the "Everyone" setting to "Public" and updated the wording in the UI to be more explicity.
New "All logged-in users" option
We know the intent of many users who selected the "Everyone" option previously was to share the filter with everyone in their organization. We've added a new option "All logged-in users" that is a more understandable way to share a dashboard or filter with all users who have a JIRA account.
Sharing options have been reordered
In order to reduce the likelihood that a user would accidentally choose the "Everyone"/"Public" option without understanding the consequences, we have reordered the sharing options so that "Groups" are the first sharing option in the dropdown menu.
These changes were released to JIRA Cloud in August 2016 and in JIRA Server 7.2.2 to address the concerns laid out in this issue; therefore, we are going to mark it as resolved.
Thanks for your patience.
Dave Meyer
Senior Product Manager, JIRA
We received complaints from one of our (external) customers saying that his name was found on the Internet via googling for his name. The hit was found via a JIRA-link on our internal JIRA-system.
When investigating, we found that it was caused by the fact that he had shared filters with restriction "Anyone".
This is not a logical behaviour from JIRA: we don't allow anonymous access to our JIRA, so we assume that nothing is exposed to the Internet. People may for example put information in the title of the filter that should not be exposed to others. As an administrator we don't have the possibility to block this. We can't even change the filters created by others.
The best solution in my opinion, is to modify the "Global Permission":
- Either create a new global permission called e.g. "Browse Filters" that an Administrator can use to block all filters.
- Or use the JIRA-Users permissions to block such Filters.
This issue is related to , JRA-22207, but these requests do not completely reduce the risk.JRA-17221
Workaround
- Change all the "Shared with the public" filters to "Shared with logged-in users"(Jira version 7.2+):
- Create an XML backup of the instance.
- Stop Jira.
- Run the following query on the database:
update sharepermissions set sharetype = 'loggedin' where sharetype = 'global' and entitytype = 'SearchRequest';
- Start Jira.
To update search results a re-index of Jira instance is also required.
- is duplicated by
-
JRASERVER-17034 Shared Filter properties exposed without authentication
- Closed
-
JRASERVER-34035 Anonymous users can access popular filters w/out permission
- Closed
-
JRASERVER-78128 Vulnerability in the filter manager - Anonymous users can access popular filters w/out permission
- Needs Triage
- is related to
-
JRASERVER-25077 /secure/ConfigurePortalPages!default.jspa#view=popular - shows defined dashboards for not logged in users
- Closed
-
JRASERVER-28217 Error message show up in the log file when user open Dashboard manage page without login
- Closed
-
JRASERVER-29503 Wording for sharing Filters and Dashboards with Everyone is misleading
- Closed
-
JRASERVER-62510 Indexing Failed after Cloud Backup Restoration in JIRA Server due to "shareType should not be null!"
- Closed
-
JRASERVER-17221 Everyone option to be disabled while sharing a filter
- Closed
-
JRASERVER-18076 Warn about assigning "Anyone" group in Global and Project permissions
- Closed
-
JRASERVER-39912 Add global option "Enable group <anyone>"
- Closed
-
JRASERVER-47671 Bulk Update JIRA Filter's "Shared With" Configuration
- Gathering Interest
-
JRASERVER-65027 Options to automatically make all Public filters and dashboards to Logged-in users
- Gathering Interest
- relates to
-
JRASERVER-22207 Add warning to Shared Filter explaining consequence of 'everyone'
- Closed
-
JRASERVER-29503 Wording for sharing Filters and Dashboards with Everyone is misleading
- Closed
-
JRASERVER-42626 Sensitive information displayed in anonymous REST API calls
- Closed
-
JRACLOUD-23255 Shared filters are visible to anonymous users when shared with 'Everyone'
- Closed
-
JRASERVER-42242 It would be great to have an option to hide the search option
- Closed
-
JRASERVER-65521 Add possibility to disable public access to JIRA
- Under Consideration
- clones
-
JRADEV-14677 Loading...
- mentioned in
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
-
Page Loading...
- was cloned as
-
JDEV-37085 Loading...
-
JSB-32 Loading...
-
JSB-69 Loading...