Loading...

XML

Word

Printable

Type: Bug
Resolution: Not a bug
Priority: Low
Fix Version/s: None
Affects Version/s: 7.10.0
Component/s: Email notifications
Labels:
None

Introduced in Version:
7.1
Support reference count:
1
Symptom Severity:
Severity 2 - Major
Bug Fix Policy:
View Atlassian Server bug fix policy

Summary

Customer users are sent @mention emails even though they should not have access to the project. This may give them access to information that they should not have.

Steps to Reproduce

Create a user without application access
Mention the user in a comment

Expected Results

Since the user does not have access they should not receive an email.

Actual Results

The user receives the email (as a Mentioned you notification) with details of the comment.

Workarounds

Do not mention the user if you do not wish for them to receive an email.
Change the Project Permission "Browse projects" to not include "Any user logged in" and instead use roles, groups or users with specific application access.

is related to

JRASERVER-23902 Don't show users in user picker which are *not* in jira-users group

Needs Triage

links to

Bugcrowd (bug bounty) report

mentioned in: Page Loading...

Assignee:: Unassigned

Reporter:: Keri Duthie (Inactive)

Votes:: 1 Vote for this issue

Watchers:: 6 Start watching this issue

Created:: 10/Jul/2018 11:02 PM

Updated:: 28/Mar/2019 12:25 AM

Resolved:: 15/Nov/2018 3:49 AM