Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-42626

Sensitive information displayed in anonymous REST API calls

    XMLWordPrintable

Details

    Description

      Expected behavior

      Block sensitive information from being displayed on anonymous REST API calls in JIRA.

      Actual behavior

      • Users' full-name are displayed when running the calls below: 
        /user/picker?query=<username>
/groupuserpicker?query=ali&showAvatar
      • Default fields and custom fields are displayed when running the call below: 
        /jql/autocompletedata

      Workaround

      There's no current method for working around this within JIRA itself. The only solution would be to setup IP filtering on affected calls.

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. JRASERVER-34914 Issue Navigator Accessible by anonymous users.

          • Low - Low priority issues
          • Closed

          Suggestion - JRASERVER-23255 Shared filters are visible to anonymous users when shared with 'Everyone'

          • Closed

          Suggestion - JRASERVER-41493 Some screens are visible to anonymous users

          • Closed

          Suggestion - JRASERVER-40787 It should be possible to restrict access to the Issue Navigator by anonymous users

          • Gathering Interest
          mentioned in

          Page Loading...

          Activity

            People

              ohernandez@atlassian.com Oswaldo Hernandez (Inactive)
              jpalharini Joao Palharini (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              10 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: