-
Bug
-
Resolution: Won't Fix
-
Medium
-
14
-
Severity 2 - Major
-
11
-
Issue Summary
Granting "Browse Project" permission to "User custom field value (XXXX)" makes the project visible to all portal customers. Regardless of whether that field is filled or not.
Steps to Reproduce
- Create a JSM project say CSM, set its permission to Customers added to this service project only by agents and admins, and add a customer to this project.
- Create another project say DEMO and set its permission to Customers added to this service project only by agents and admins
- Do not add the same customer to this project.
- Create a user-picker field and add it to the Browse projects permission of the DEMO project.
- When the portal customer logs in, they will see both projects on the portal:
- Associated KB articles of both projects will also be visible to the logged in customer
Expected Results
The project should not be visible to all customers here: https://<sitename>.atlassian.net/servicedesk/customer/portals
Actual Results
The project and its KB articles are visible to all customers her: https://<sitename>.atlassian.net/servicedesk/customer/portals
Workaround
Remove the "User custom field value (XXXX)" in the Browse project permission
- depends on
-
JRACLOUD-75053 Grant "Browse Project" permission to "User Custom Field Value" makes project visible to all users
- Gathering Interest
- mentioned in
-
Page Failed to load
| Form Name | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
[JSDCLOUD-12350] Granting "Browse Project" permission to "User Custom Field Value" makes project visible to all portal customers
Hello, we made a ticket because of this bug and we had a call with support.
In the call they said that they've created this ticket because it was a major bug and you will cover it as soon as possible but we're seeing that this has no update on the status. ¿Are there any news?
We, as a team, have had problems with this bug on multiple projects and clients.
Please, try to solve it because we think that this is a bug that affects admin and user experience in a bad way.
Thank you.
This bug is critical if you have external customers in your Jira Service Management instance, as you can unknowingly expose confidential data to all customers in your Help Center (both external and internal), such as:
- project portals intended for internal customers only, along with the portal name, request types, instructions, descriptions and fields, allowing them to create requests;
- confidential data stored in custom fields (eg. a Customers select-list field);
- all the Knowledge Base articles from the connected Confluence space(s) of a portal for internal customers to all your external customers;
- all the Knowledge Base articles of an external customer portal to all the other external customers, if you have different portals for different customers.
The bug overrides the customer access settings defined on project level. If you configured your portal to be accessed by Customers added to this service project only by agents and admins, the portal will still be exposed to every single customer in your Jira site.
Considering the above, I believe the priority should have been much higher than Low, as it can lead to potential security / data breaches. According to the bug fix policy, Low priority represents “Typically smaller paper cuts such as cosmetic errors, or non-critical functionality not behaving as expected”. I believe this bug is more than a cosmetic error, having impact on user access settings.
It would be very interesting to fix this bug because it can affect several instances
Hello there.
As described in those alerts, granting browse project permission to either `User custom field value` to `Group custom field value` will make the project visible to any logged-in user.
This is the expected behavior and will not be treated as a bug.
There are a few ways to work around it if necessary. Those are described in
https://confluence.atlassian.com/cloudkb/limit-users-to-only-browse-issues-assigned-to-reported-by-them-in-jira-cloud-1252327979.html
Best regards