Uploaded image for project: 'Jira Server and Data Center'
  1. Jira Server and Data Center
  2. JRASERVER-23255

Shared filters are visible to anonymous users when shared with 'Everyone'

    XMLWordPrintable

    Details

    • Feedback Policy:
      We collect Jira feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      Description

      NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion.

      Atlassian Update - 2 August 2016

      Hi everyone,

      We have an update for this issue. Fundamentally, the situation as reported on this suggestion is intended functionality. Sharing a filter or dashboard with "Everyone" is intended as a way to allow users who may not have accounts in your JIRA instance the ability to see certain dashboards or filters, assuming they contain issue data that has also been shared with anonymous users. There are a number of use cases for this and we know that many customers are using JIRA this way today.

      That said, we are also very aware that the wording "Everyone" can cause significant confusion, where users do not realize the "Everyone" option means that the dashboard or filter will be visible to unauthenticated users. In certain situations, this can become a security concern. Therefore, we have recently introduced some changes in to mitigate this issue.

      New global setting

      JIRA administrators can now disable the ability to share dashboards and filters publicly via a new global setting "Public sharing". This setting is available from JIRA Admin > System > General Configuration > Edit Settings. Please note that this will not affect existing filters and dashboards. If you change this setting, you will still need to update existing filters and dashboards if they have already been shared with "Everyone."

      "Everyone" is now "Public"

      In order to more clearly emphasize the outcome of sharing a dashboard or filter will allow unauthenticated users to see it, we have renamed the "Everyone" setting to "Public" and updated the wording in the UI to be more explicity.

      New "All logged-in users" option

      We know the intent of many users who selected the "Everyone" option previously was to share the filter with everyone in their organization. We've added a new option "All logged-in users" that is a more understandable way to share a dashboard or filter with all users who have a JIRA account.

      Sharing options have been reordered

      In order to reduce the likelihood that a user would accidentally choose the "Everyone"/"Public" option without understanding the consequences, we have reordered the sharing options so that "Groups" are the first sharing option in the dropdown menu.

      These changes were released to JIRA Cloud in August 2016 and in JIRA Server 7.2.2 to address the concerns laid out in this issue; therefore, we are going to mark it as resolved.

      Thanks for your patience.

      Dave Meyer
      Senior Product Manager, JIRA

      We received complaints from one of our (external) customers saying that his name was found on the Internet via googling for his name. The hit was found via a JIRA-link on our internal JIRA-system.
      When investigating, we found that it was caused by the fact that he had shared filters with restriction "Anyone".

      This is not a logical behaviour from JIRA: we don't allow anonymous access to our JIRA, so we assume that nothing is exposed to the Internet. People may for example put information in the title of the filter that should not be exposed to others. As an administrator we don't have the possibility to block this. We can't even change the filters created by others.
      The best solution in my opinion, is to modify the "Global Permission":

      • Either create a new global permission called e.g. "Browse Filters" that an Administrator can use to block all filters.
      • Or use the JIRA-Users permissions to block such Filters.

      This issue is related to JRA-22207, JRA-17221, but these requests do not completely reduce the risk.

      Workaround

      • Change all the "Shared with the public" filters to "Shared with logged-in users"(Jira version 7.2+):
      1. Create an XML backup of the instance.
      2. Stop Jira.
      3. Run the following query on the database:
        update sharepermissions set sharetype = 'loggedin' where sharetype = 'global' and entitytype = 'SearchRequest';
        
      1. Start Jira.

      To update search results a re-index a re-index of Jira instance is also required.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              mdeboeck Marc De Boeck
              Votes:
              86 Vote for this issue
              Watchers:
              113 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: