Uploaded image for project: 'Jira Server and Data Center'
  1. Jira Server and Data Center
  2. JRASERVER-65195

JIRA Throws Misleading Error if a User attempts to Open an attachment they should not be able to view

    XMLWordPrintable

Details

    • 6
    • 11
    • We collect Jira feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

    Description

      Issue Summary

      If a user attempt to access an attachment in an issue they do not have the appropriate permission to and the attachment contains a white space, JIRA throws a misleading error with regards getOutputStream in the logs multiple times which can be confusing.

      2017-04-28 23:23:50,357 http-nio-8734-exec-6 ERROR bbb 1403x14424x1 ni3xbm 127.0.0.1 /secure/attachment/10003/test%20efte.docx [c.a.p.webresource.data.DataTagWriter] Exception encountered rendering data resource '[com.atlassian.jira.jira-header-plugin:dismissedFlags.flags]'
java.lang.IllegalStateException: getWriter() called after getOutputStream()
	at com.atlassian.jira.web.filters.pagebuilder.PageBuilderResponseWrapper.getWriter(PageBuilderResponseWrapper.java:43)
	at javax.servlet.ServletResponseWrapper.getWriter(ServletResponseWrapper.java:109)
	at javax.servlet.ServletResponseWrapper.getWriter(ServletResponseWrapper.java:109)
	at javax.servlet.ServletResponseWrapper.getWriter(ServletResponseWrapper.java:109)
	at org.apache.jasper.runtime.JspWriterImpl.initOut(JspWriterImpl.java:118)
	at org.apache.jasper.runtime.JspWriterImpl.flushBuffer(JspWriterImpl.java:111)
	at org.apache.jasper.runtime.JspWriterImpl.write(JspWriterImpl.java:329)
	at java.io.Writer.write(Writer.java:157)
	at com.atlassian.plugin.webresource.data.DataTagWriter.write(DataTagWriter.java:52)
	at com.atlassian.plugin.webresource.data.DataTagWriter.write(DataTagWriter.java:37)
	at com.atlassian.plugin.webresource.assembler.DefaultWebResourceSet.writeHtmlTags(DefaultWebResourceSet.java:126)
	at com.atlassian.plugin.webresource.assembler.DefaultWebResourceSet.writeHtmlTags(DefaultWebResourceSet.java:109)
	at com.atlassian.plugin.webresource.assembler.DefaultWebResourceSet.writeHtmlTags(DefaultWebResourceSet.java:104)
	at com.atlassian.jira.plugin.navigation.HeaderFooterRendering.includeResources(HeaderFooterRendering.java:109)
	at jsp.decorators.message_jsp._jspService(message_jsp.java:216)
	at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
      Use case scenario

      As an Admin, if you notice an error such as the above, you can copy the URL to investigate which page is causing the problem which would then lead to the error being created.

      Secondly, if a user is given the link to the attachment because a colleague believes it would be useful to him and he is not yet granted permission to view the issue, the error above would be thrown.

      Steps to Reproduce
      1. Create an issue in JIRA as user A.
      2. Add an attachment that has a white space to the issue.
      3. Copy the URL of the attachment.
      4. In a private browsing mode or a different browser, login to JIRA as user B.
      5. Paste the URL of the attachment copied in step 3 to a tab in the Browser User B logged in to.
      Expected Behavior

      JIRA throws a permission validation error that is easy to understand.

      Actual Behavior

      JIRA throws the error above which makes it look like a stream object is failing and can be misleading.

      Attachments

        Issue Links

          blocks

          MOVE-59499 Loading...

          Activity

            People

              Unassigned Unassigned
              ijimoh Ismael Olusula Jimoh (Inactive)
              Votes:
              40 Vote for this issue
              Watchers:
              26 Start watching this issue

              Dates

                Created:
                Updated: