Uploaded image for project: 'Jira Service Management Cloud'
  1. Jira Service Management Cloud
  2. JSDCLOUD-8015

'Service Desk Customer - Portal Access' in Browse Project permission causes side bar to display search suggestions to users with no access to said suggestions

XMLWordPrintable

      Summary

      When the browse project permission of a project is set to include 'Service Desk Customer - Portal Access', currently users with JSW application access (but have no access to the project due to not being a JSD customer) , is able to see tickets, boards, projects and filters of the said project. They do not have access to the project in question when clicking on the boards and projects but they are still able to see the projects and issues from suggestions.

      Investigation Done

      Browse project permission set to include 'Service Desk Customer - Portal Access'

      No additional groups besides application access group for user

      User is still able to see the project (AT1) being suggested despite not having access to it.

      Steps to Replicate

      Refer to the investigation steps above.

      Expected Results

      No projects, dashboard, filters or tickets should be return as suggestion

      Current Results

      Projects with Browse Project permission that includes 'Service Desk Customer - Portal Access' will return itself, tickets and dashboards under it as suggestion despite the user having no access to it.

      Note : Can also potentially be due to side bar result caching with the creation of CONFCLOUD-65887 but have no way of verifying on our end.

        1. 1D0-437.pdf
          518 kB
        2. 1Y0-240.pdf
          592 kB
        3. 1Y0-311.pdf
          532 kB
        4. 1Z0-320.pdf
          440 kB
        5. 1Z0-348.pdf
          457 kB
        6. 1Z0-477.pdf
          463 kB
        7. 1Z0-962.pdf
          437 kB
        8. 1Z0-970.pdf
          435 kB
        9. 1Z0-975.pdf
          511 kB
        10. 1Z0-976.pdf
          436 kB
        11. 200-150.pdf
          691 kB
        12. 200-601.pdf
          621 kB
        13. 210-060.pdf
          439 kB
        14. 250-430.pdf
          454 kB
        15. 2V0-751.pdf
          1.05 MB
        16. 300-160.pdf
          443 kB
        17. 3V0-622.pdf
          1.56 MB
        18. 9A0-411.pdf
          546 kB
        19. 9A0-412.pdf
          1.04 MB
        20. access.mp4
          3.25 MB
        21. access1.mp4
          3.15 MB
        22. access2.mp4
          3.97 MB
        23. AICP.pdf
          1.14 MB
        24. C_HANATEC_14.pdf
          459 kB
        25. C_HYMC_1802.pdf
          520 kB
        26. C5050-384.pdf
          1.05 MB
        27. CLTD.pdf
          1.01 MB
        28. he's an admin.png
          he's an admin.png
          34 kB
        29. HPE6-A44.pdf
          1.64 MB
        30. HPE6-A45.pdf
          590 kB
        31. JN0-361.pdf
          528 kB
        32. JN0-420.pdf
          1.46 MB
        33. JN0-647.pdf
          971 kB
        34. MS-500.pdf
          655 kB
        35. NCM_20002021610.pdf
          1.01 MB
        36. PEGAPCSA80V1_2019.pdf
          543 kB
        37. screenshot-1.png
          screenshot-1.png
          18 kB
        38. screenshot-2.png
          screenshot-2.png
          53 kB
        39. Screen Shot 2019-04-04 at 4.24.19 pm.png
          Screen Shot 2019-04-04 at 4.24.19 pm.png
          83 kB
        40. Screen Shot 2019-04-04 at 4.25.43 pm.png
          Screen Shot 2019-04-04 at 4.25.43 pm.png
          175 kB
        41. Screen Shot 2019-04-04 at 4.27.33 pm.png
          Screen Shot 2019-04-04 at 4.27.33 pm.png
          137 kB
        42. Screen Shot 2019-04-04 at 4.29.25 pm.png
          Screen Shot 2019-04-04 at 4.29.25 pm.png
          62 kB
        43. Screen Shot 2019-04-04 at 4.29.32 pm.png
          Screen Shot 2019-04-04 at 4.29.32 pm.png
          54 kB
        44. Screen Shot 2019-04-04 at 4.33.12 pm.png
          Screen Shot 2019-04-04 at 4.33.12 pm.png
          44 kB
        45. Screen Shot 2019-04-04 at 4.34.16 pm.png
          Screen Shot 2019-04-04 at 4.34.16 pm.png
          55 kB
        46. Screen Shot 2019-04-04 at 4.36.07 pm.png
          Screen Shot 2019-04-04 at 4.36.07 pm.png
          95 kB
        47. Screen Shot 2019-05-13 at 11.35.51 am.png
          Screen Shot 2019-05-13 at 11.35.51 am.png
          115 kB
        48. Screen Shot 2019-05-13 at 11.36.17 am.png
          Screen Shot 2019-05-13 at 11.36.17 am.png
          39 kB
        49. Screen Shot 2019-05-13 at 11.43.21 am.png
          Screen Shot 2019-05-13 at 11.43.21 am.png
          158 kB
        50. Screen Shot 2019-05-13 at 4.38.22 pm.png
          Screen Shot 2019-05-13 at 4.38.22 pm.png
          170 kB
        51. screenshot-3.png
          screenshot-3.png
          12 kB
        52. screenshot-4.png
          screenshot-4.png
          60 kB
        53. screenshot-5.png
          screenshot-5.png
          60 kB
        54. screenshot-6.png
          screenshot-6.png
          84 kB
        55. screenshot-7.png
          screenshot-7.png
          92 kB
        56. software-has-admin.png
          software-has-admin.png
          59 kB
        57. Untitled.png
          Untitled.png
          55 kB

            [JSDCLOUD-8015] 'Service Desk Customer - Portal Access' in Browse Project permission causes side bar to display search suggestions to users with no access to said suggestions

            Karol added a comment -

            Closing, because the functionality works as expected.

            The only replication steps we could find, involved using a user account with administrator privileges (through the "jira-software-users" group, the user belongs to). Such users have access to administer the projects, which are therefore shown in the search results.

            Make sure you intend for the group to have administrator access, if not, removing it should fix the problem. You can check by going to Users management -> Groups  and checking each group that the user is in.

            Karol added a comment - Closing, because the functionality works as expected. The only replication steps we could find, involved using a user account with administrator privileges (through the "jira-software-users" group, the user belongs to). Such users have access to administer the projects, which are therefore shown in the search results. Make sure you intend for the group to have administrator access, if not, removing it should fix the problem. You can check by going to Users management -> Groups   and checking each group that the user is in.

            Glenn Bieger added a comment -

            Hi vchin, ktarasiuk@atlassian.com - friendly reminder that the SLA due date on this ticket is 9 days away. Are we looking good to get this resolved by then?

            Don't hesitate to reach out if there is anything security can help with.

            Glenn Bieger added a comment - Hi vchin , ktarasiuk@atlassian.com - friendly reminder that the SLA due date on this ticket is 9 days away. Are we looking good to get this resolved by then? Don't hesitate to reach out if there is anything security can help with.

              ktarasiuk@atlassian.com Karol
              vchin Vincent Chin (Inactive)
              Affected customers:
              1 This affects my team
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: