-
Type:
Suggestion
-
Resolution: Unresolved
-
None
-
Component/s: Front-end API, Java API, REST API
-
None
-
3
Issue Summary
This is reproducible on Data Center: yes
As an administrator, I want to be able to prevent customers from using Jira's APIs without breaking portal-functionality, or modifying permission schemes in Jira.
Steps to Reproduce
- As a Jira Administrator:
- Setup a Service Project in JSM
- Update the project permissions adding application access "Any logged in User" to the permission "Browse Projects"
- Change the customer permission in the project to "Anyone can raise a request on the customer portal or by email"
- Set the authentication method: "Basic Authentication for REST API calls" to enabled
- Generate a Customer Account via the Sign Up page in the Customer Portal
- Now that you have a valid customer account, make API calls to various endpoints in Jira to determine what is returned
Expected Results
As I am a customer, I should not receive successful responses or data from Jira outside of of the customer portal I have access to
Actual Results
As I am an authenticated user in Jira and my API calls contain authorization, I am able to see project data if the application access "any logged in user" is set to the permission "Browse Projects"
Request: % curl -D- -X POST -H 'X-Atlassian-Token: no-check' -H "Authorization: Basic <removed-by=support>" -H "Content-Type: application/x-www-form-urlencoded; charset=UTF-8" --data "startIndex=0&jql=project=OPEN&layoutKey=list-view" --url "https://jsm-base-url/jsm/rest/issueNav/1/issueTable?startIndex=0&jql=project=SAM" Results: {"issueTable":{"columnSortJql":{"summary":"project = SAM ORDER BY summary ASC","issuetype":"project = SAM ORDER BY issuetype DESC","issuekey":"project = SAM ORDER BY key ASC","created":"project = SAM ORDER BY created DESC","duedate":"project = SAM ORDER BY due DESC","reporter":"project = SAM ORDER BY reporter ASC","assignee":"project = SAM ORDER BY assignee ASC","priority":"project = SAM ORDER BY priority DESC","resolution":"project = SAM ORDER BY resolution ASC","updated":"project = SAM ORDER BY updated DESC","status":"project = SAM ORDER BY status DESC"},"description":"","displayed":41,"end":41,"issueIds":[10141,10140,10139,10138,10137,10136,10135,10134,10133,10132,10131,10130,10129,10128,10127,10126,10125,10124,10123,10122,10121,10120,10119,10118,10117,10116,10115,10114,10113,10112,10111,10110,10109,10108,10107,10106,10105,10104,10103,10102,10101],"issueKeys":["SAM-41","SAM-40","SAM-39","SAM-38","SAM-37","SAM-36","SAM-35","SAM-34","SAM-33","SAM-32","SAM-31","SAM-30","SAM-29","SAM-28","SAM-27","SAM-26","SAM-25","SAM-24","SAM-23","SAM-22","SAM-21","SAM-20","SAM-19","SAM-18","SAM-17","SAM-16","SAM-15","SAM-14","SAM-13","SAM-12","SAM-11","SAM-10","SAM-9","SAM-8","SAM-7","SAM-6","SAM-5","SAM-4","SAM-3","SAM-2","SAM-1"],"jiraHasIssues":true,"page":0,"pageSize":50,"startIndex":0,"table":"\n\n\n <issuetable-web-component data-content=\"issues\">\n <table id=\"issuetable\" >\n <thead>\n <tr class=\"rowHeader\">\n \n <th class=\"colHeaderLink sortable headerrow-issuetype\" rel=\"issuetype:DESC\" data-id=\"issuetype\" onClick=\"window.document.location='/jsm/issues/?jql=ORDER%20BY%20%22issuetype%22%20DESC'\">\n <span title=\"Sort By Issue Type\">T</span>\n </th>\n \n <th class=\"colHeaderLink sortable headerrow-issuekey\" rel=\"issuekey:ASC\" data-id=\"issuekey\" onClick=\"window.document.location='/jsm/issues/?jql=ORDER%20BY%20%22issuekey%22%20ASC'\">\n <span title=\"Sort By Key\">Key</span>\n </th>\n \n <th class=\"colHeaderLink sortable headerrow-summary\" rel=\"summary:ASC\" data-id=\"summary\" onClick=\"window.document.location='/jsm/issues/?jql=ORDER%20BY%20%22summary%22%20ASC'\">\n <span title=\"Sort By Summary\">Summary</span>\n ......
Workaround
- Disable Basic Authentication for REST API calls from Settings > System > Authentication Methods
- Remove the application access "Any logged in User" from permission schemes
- mentioned in
-
Page Loading...