Details
-
Bug
-
Resolution: Duplicate
-
Low
-
None
-
5.0.2, 5.0.6, 6.1.6, 6.3.1
-
5
-
Description
The new notification feature for @mentions in an issue sends mail to
users not included in the group the comment visibility is restricted to.
This can be reproduced by the the following scenario:
- user A is member of the group SECURITY
- user B isn't
- user A creates a new issue, without restrictions
- user A mentions user @B in a comment
- user A doesn't want user B to read this comment, so he uses the
"restricted to" feature for comments and restricts the visibility for
this comment to the group SECURTY - now user B can't see the comment in the issue (as expected), but
because he is mentioned he gets a mail notification with the whole
comment (which is absolutely unexpected and unwanted!)
This only happens, when the reporter of an issue is already part of the
SECURITY group. Otherwise the restriction works for the mail
notifications too.
Such a behaviour can be very serious, especially when user B would be an
external customer, who should never see such a comment.
Attachments
Issue Links
- duplicates
-
JRASERVER-29354 Mention notifications do not respect the "Viewable by" security level restriction set on a comment
- Closed