Details
-
Bug
-
Resolution: Unresolved
-
Low
-
None
-
5.2.9, 6.4.1, 7.2.0, 8.13.1
-
5.02
-
6
-
Severity 2 - Major
-
1
-
Description
Summary
When a project admin page is visited, we perform a check for plugin updates (/rest/plugins/1.0/notifications). If the user visiting the page is not a JIRA administrator, they will not have permission to access the UPM. This results in a 401 error for that call.
Steps to reproduce
- Login as a regular Project Administrator (user who has administer project permission on a test project, but who is not a JIRA Admin or System Admin)
- Access the administration page of same test project, and click on any of the project admin tabs e.g. versions, components etc.
Expected results
There aren't requests on the page that return a 401. Either no unauthorized requests are triggered or atleast they return a more appropriate 403 response.
Actual results
A 401 is returned, as well as a, WWW-Authenticate header for requests to /rest/plugins/1.0/notifications
Notes
A similar issue was found in OnDemand: https://ecosystem.atlassian.net/browse/UPM-2684. Not sure if this issue should be a JIRA fix to handle the call better, or if the UPM is adding this call in, and the above issue should be re-opened to extend to BTF instances as well.
Attachments
Issue Links
- is related to
-
JRASERVER-44861 Closing an issue from the new Project Navigation view returns an error "401 Unauthorized"
- Gathering Impact
- relates to
-
UPM-3876 Loading...