Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-9394

Security Bug: Deletion of a comment made to jira-developers is visible to all jira-users when viewing change history


    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Medium Medium
    • 3.5.3
    • 3.3.1
    • Issue - Comments
    • (Professional Edition, Version: 3.3.1-#97) - standalone - jdk1.5.0_04 - Windows 2003

      We use the jira-developers group in order to make internal comments. These comments contain sensitive information that should under no circumstances be viewable to the clients who use the jira-users group.

      When you delete a comment that is visible to jira-developers, it becomes visible to the customer! They need to click on "Change History" or "All" to view the deleted comment.

      Unfortunately, we had a situation the other day because a client saw a comment that was not meant for the client to see which has left us in a sticky situation.

      As far as we are concerned, the "All" and "Change History" buttons should only show events that were carried out by users in your group. That is, jira-developers should see all the changes in the change history and jira-users should only see events caused by other jira-users. jira-users should also be able to see when a jira-developer has assigned an issue to a jira-user as that involves the jira-user group.

      Please let us know when this will be resolved as we cannot have this situation continue as it is.


            Unassigned Unassigned
            2783983b03ed Test
            1 Vote for this issue
            3 Start watching this issue