-
Suggestion
-
Resolution: Fixed
-
None
-
3
-
21
-
NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion.
Using an @-mention will list all users, but it would be convenient to be able to restrict that to certain groups, or toggle certain users so that they do not appear in this list.
- duplicates
-
- Closed
- relates to
-
- Gathering Interest
- mentioned in
-
![[Extranet] Page](/images/icons/generic_link_16.png "[Extranet] Page")
Page
Failed to load
[JRASERVER-37386] Ability to restrict what users or groups appear in @-mention results
This issue is closed and even though the mentions are limited - clients can still access full user list through:
https://ACCOUNTNAME.atlassian.net/secure/popups/UserPickerBrowser.jspa
The current situation provides false sense of a fixed security issue (which is still there).
Users showed in the @-mention results are controlled via the permission scheme associated with given project with the Browse Projects permission.
More about permission scheme configuration: https://confluence.atlassian.com/jserverm/latest/managing-project-permissions-979403889.html
@Heike Armborst
Thank you, I wasn't aware of this permission scheme. I disabled the browse user permission for external users.
But it would be nice to limit this based on projects etc. which unfortunately doesn't work.
@christian Sprengler
As Atlassian will discontinue Jira Server, I'm pretty sure they do not care anymore of any of those tickets.
well, it depends since this ticket is in Project "Server and Data Center". But i'll agree: I don't think they will fix this in future ...
best,
@ju
this does not have to be a security flaw. you have to set the rights for your external users via the permission scheme accordingly.
the relevant right is named "browse permission" or "browse user". withdraw it from the externals and the issue is gone.
Unfortunatly, externals themself can not use @mention anymore then ... (like it is also here, in this Atlassian Jira-instance)...
Nevertheless, it is very sad that Atlassian did not fix this issue at all...
best,
Lol @Atlassian.
It's been 7 years and nothing.
This is a security flaw. Our external users can see ALL Names with the @-tag.
Ridiculous.
As Atlassian will discontinue Jira Server, I'm pretty sure they do not care anymore of any of those tickets.
Completely agree. this is very, very important. We have state affiliates who can View (read-only) our project. However we do not want them to have the ability to be @mentioned. Staff are accidently @mentioning states and it's a problem. They only have the browse permission.
8075761753c3 - as the issue is defined here it is clearly about @mention feature which can be configured via permission schemes. Also note that this issue is defined for Jira Server and Data Center and in your comment you are referring to Jira Cloud. I think this would be the issue for Jira Cloud: https://jira.atlassian.com/browse/JRACLOUD-37386