Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-67576

@Mention emails sent to Customer users

XMLWordPrintable

      Summary

      • Customer users are sent @mention emails even though they should not have access to the project. This may give them access to information that they should not have.

      Steps to Reproduce

      1. Create a user without application access
      2. Mention the user in a comment

      Expected Results

      • Since the user does not have access they should not receive an email.

      Actual Results

      • The user receives the email (as a Mentioned you notification) with details of the comment.

      Workarounds

      • Do not mention the user if you do not wish for them to receive an email.
      • Change the Project Permission "Browse projects" to not include "Any user logged in" and instead use roles, groups or users with specific application access.

            [JRASERVER-67576] @Mention emails sent to Customer users

            Rene C. [Atlassian Support] added a comment -

            Hello, everyone! Thank you, dsmith77 for the mention of the permission. After analyzing this behavior, we conclude that this behavior is indeed a result of the permission "Application access - Any user logged in" and that the permission is working as intended, although we do agree that the name "Any logged in user" is misleading, as it actually is considering any user that exists in the application. We have created a feature request JRASERVER-68438 where we will be gathering feedback on this behavior and we will be marking this bug ticket as resolved.

            Best regards,
            René Chiquete - Atlassian Support.

            Rene C. [Atlassian Support] added a comment - Hello, everyone! Thank you, dsmith77 for the mention of the permission. After analyzing this behavior, we conclude that this behavior is indeed a result of the permission "Application access - Any user logged in" and that the permission is working as intended, although we do agree that the name "Any logged in user" is misleading, as it actually is considering any user that exists in the application. We have created a feature request JRASERVER-68438 where we will be gathering feedback on this behavior and we will be marking this bug ticket as resolved. Best regards, René Chiquete - Atlassian Support.

            Drew Smith added a comment -

            I found that by changing the Browse Project permission for all permission schemes I was to correct this problem. Initially this permission was set to "Any logged in user". I setup a group which contained just our actual employees who use Jira and assigned that group to the permission. With this change the @mention does not pick up our customer logins from our Service Desk. I also changed the permission on the Assignable User so that we could only assign issues to our Jira users and not customers.

            The only problem this did not solve is the Reporter or custom fields based on the User Picker still show our Service Desk customers.

            Drew Smith added a comment - I found that by changing the Browse Project permission for all permission schemes I was to correct this problem. Initially this permission was set to "Any logged in user". I setup a group which contained just our actual employees who use Jira and assigned that group to the permission. With this change the @mention does not pick up our customer logins from our Service Desk. I also changed the permission on the Assignable User so that we could only assign issues to our Jira users and not customers. The only problem this did not solve is the Reporter or custom fields based on the User Picker still show our Service Desk customers.

              Unassigned Unassigned
              khannon Keri Duthie (Inactive)
              Affected customers:
              1 This affects my team
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: