Issue Summary

users are shown as logged in (into Jira) if they are watching a confluence space and a new confluence page with the Jira Issue/Filter macro or the Jira Charts macro is added.

Everytime a linked application pulls data from JIRA for a user, it will use an OAuth connection towards JIRA to verify if the user has the correct permissions and credentials to view the specified data. This could be a macro within Confluence, but also a linked JIRA issue.

When showing any content to a user, Jira checks the permission of the user viewing the page as otherwise, it could end up in a security issue.

Steps to Reproduce

1. make sure that Jira and Confluence share the same userbase
2. create an Oauth application link between Jira and Confluence.
3. create a space in Confluence
4. add some users as watchers of the newly created space
5. with a different user, create a new page under the newly created space and either insert in the page the Jira Issue/Filters macro or the Jira Charts macro.
6. observe into Jira access logs into the Jira Web UI user management that the users watching the space in Confluence are shown as logged in Jira even if they didn't logged in Jira.

This behaviour has been tested with Jira 7.9.2 and Confluence 6.14.3.

Expected Results

Users should not login into Jira.

Actual Results

Users watching the space are marked as logged in Jira.

Workaround

The only workaround that I found consist into removing the Confluence application access group to the users which we don't want to see as logged in Jira.