Loading...

XML

Word

Printable

Type: Bug
Resolution: Timed out
Priority: Medium
Fix Version/s: None
Affects Version/s: 7.5.1, 7.6.7, 7.10.2, 7.12.0
Component/s: System Administration - Global Permissions
Labels:
None

Introduced in Version:
7.05
Support reference count:
1
Symptom Severity:
Severity 2 - Major

Summary

When a non-admin user access JIRA and directly hit the URL (assuming that he knows other users' username), he would be able to view his/her profile though no Browse User permission is granted.

Steps to Reproduce

Create a test user and grant an application access
Ensure that no Browse User permission is granted to this user
Access the Base URL and append secure/ViewProfile.jspa?name=anyusername at the end of the Base URL.

Expected Behavior

User is not able to view the profile.

Actual Result

User is able to see the other user's profile as long as he knows the username.

Workaround

None

relates to

JRASERVER-71899 Usernames are exposed in the URL while accessing user profiles

Gathering Impact

Assignee:: Unassigned
Reporter:: Anna Cardino (Inactive)
Votes:: 1 Vote for this issue
Watchers:: 4 Start watching this issue

Created:: 24/Sep/2018 8:00 AM
Updated:: 13/Jul/2021 9:40 AM
Resolved:: 30/Jun/2021 1:50 PM

Details

Description

Summary

Steps to Reproduce

Expected Behavior

Actual Result

Workaround

Attachments

Issue Links

Activity

People

Dates