Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-67984

Logging in as a Non-admin user without Browse User Permission can view User Profiles

    XMLWordPrintable

Details

    Description

      Summary

      When a non-admin user access JIRA and directly hit the URL (assuming that he knows other users' username), he would be able to view his/her profile though no Browse User permission is granted.

      Steps to Reproduce

      1. Create a test user and grant an application access
      2. Ensure that no Browse User permission is granted to this user
      3. Access the Base URL and append secure/ViewProfile.jspa?name=anyusername at the end of the Base URL.

      Expected Behavior

      User is not able to view the profile.

      Actual Result

      User is able to see the other user's profile as long as he knows the username.

      Workaround

      None

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. JRASERVER-71899 Usernames are exposed in the URL while accessing user profiles

          • Low - Low priority issues
          • Gathering Impact

          Activity

            People

              Unassigned Unassigned
              acardino Anna Cardino (Inactive)
              Votes:
              1 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: