Details
-
Bug
-
Resolution: Duplicate
-
Low
-
None
-
6.4.11
-
6.04
-
Description
Summary
The Activity Stream is displaying work logs for all users that have been restricted. This is allowing any user to see possibly sensitive information in those work logs that should not be seen otherwise.
Raised as a critical due to this. This was previously raised in STRM-2130 which indicates it's fixed in JIRA 6.0, however it's still present in 6.4.11.
Steps to Reproduce
- Create a new group.
- Create a new user.
- Assign that user to the group.
- Create a new project.
- Edit the project permissions to add the 'Work On Issues' permission to the group from step 1.
- Create an issue with the admin user.
- Login as the user from step 2.
- Log work on the issue created (this was tested with group vs project role, this can be enabled in Configuring JIRA Options).
- Access that issue with a user that does not have access to those worklogs. They won't be able to see them in the issue.
- Access the project activity stream.
Expected Results
The work log messages are not displayed in the Activity Stream as they are not displayed in the View Issue screen.
Actual Results
Restricted work logs are viewable in the Activity Stream. These are not visible on the dashboard however are on project activity streams.
Notes
No known workaround at this time.
Attachments
Issue Links
- duplicates
-
JRASERVER-34022 Restricted Work Log entries show in the Activity Stream in JIRA Server
- Gathering Impact
-
RAID-481 Loading...
- relates to
-
STRM-2130 Loading...
-
JDEV-19770 Loading...