IMPORTANT: JAC is a Public system and anyone on the internet will be able to view the data in the created JAC tickets. Please don’t include Customer or Sensitive data in the JAC ticket.
Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-34035

Anonymous users can access popular filters w/out permission

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: Low Low (View bug fix roadmap)
    • None
    • None
    • None
    • None

      NOTE: This bug report is for JIRA Server. Using JIRA Cloud? See the corresponding bug report.

      A customer mentioned this issue at OSCON and we were partially able to reproduce it. Users cannot see the issues themselves (in this example) but can view the filter name, owner, and popularity. Without logging in a subset of our filters are visible here: <base url>/secure/ManageFilters.jspa#filterView=popular

      Our permissions do not allow any anonymous access to the projects mentioned in these filters. The filters are shared with everyone. If this is not a bug can you please describe the functionality of anonymous access to filters so that we can configure JIRA correctly to prevent this data leakage. (It appears that filters shared with Everyone can be seen anonymously even if the issues contained within cannot.)

            Loading...
            IMPORTANT: JAC is a Public system and anyone on the internet will be able to view the data in the created JAC tickets. Please don’t include Customer or Sensitive data in the JAC ticket.
            Uploaded image for project: 'Jira Data Center'
            1. Jira Data Center
            2. JRASERVER-34035

            Anonymous users can access popular filters w/out permission

            XMLWordPrintable

              • Icon: Bug Bug
              • Resolution: Duplicate
              • Icon: Low Low
              • None
              • None
              • None
              • None

                NOTE: This bug report is for JIRA Server. Using JIRA Cloud? See the corresponding bug report.

                A customer mentioned this issue at OSCON and we were partially able to reproduce it. Users cannot see the issues themselves (in this example) but can view the filter name, owner, and popularity. Without logging in a subset of our filters are visible here: <base url>/secure/ManageFilters.jspa#filterView=popular

                Our permissions do not allow any anonymous access to the projects mentioned in these filters. The filters are shared with everyone. If this is not a bug can you please describe the functionality of anonymous access to filters so that we can configure JIRA correctly to prevent this data leakage. (It appears that filters shared with Everyone can be seen anonymously even if the issues contained within cannot.)

                        Unassigned Unassigned
                        b043998941a9 Pepe
                        Votes:
                        0 Vote for this issue
                        Watchers:
                        2 Start watching this issue

                          Created:
                          Updated:
                          Resolved:

                            Unassigned Unassigned
                            b043998941a9 Pepe
                            Affected customers:
                            0 This affects my team
                            Watchers:
                            2 Start watching this issue

                              Created:
                              Updated:
                              Resolved: