-
Bug
-
Resolution: Duplicate
-
Low
-
None
-
7
-
Severity 3 - Minor
-
3
-
Issue Summary
A customer who does not have access to the project can still be selected as the reporter of a request in the project
Steps to Reproduce
- Create a customer in a project
- Create a request in a different project (make sure the permission is set to "Customers my team adds to the project"). Once the request is created, set the reporter a the customer created in the first project
Expected Results
The customer is not selectable as a reporter since not having access to the project
Actual Results
The customer can be selected as the reporter
Workaround
Currently there is no known workaround for this behavior. A workaround will be added here when available
- duplicates
-
JRACLOUD-81318 Hide or filter out portal only users (JSM Customers) who don't have Jira application access to appear on assignee, reporters, project lead and project roles list
- Gathering Interest
- relates to
-
- Closed
-
- Gathering Interest
-
- Gathering Interest
| Form Name | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
[JSDCLOUD-8649] Customer without permission to project can be added as a reporter of a request
ad6a7dfa16ba thank you for taking the time to give this feedback - I see what you mean, that there are specific implications for Jira Service Management projects that make this a distinct issue. Rather than closing this issue, I will add JRACLOUD-36896 as a linked related issue.
Anusha - they are different to me, though fixing JRACLOUD-36896 would fix this.
To me this is specifically about customers.
I see the reasoning behind picking any Jira user as a reporter in regular projects. Someone who doesn't have permission to to the project might have been the person that found the bug, or made the suggestion and you may want to keep track of that. That person is indeed a user in your Jira instance, so it makes sense you can pick them.
With customers, however, they're not users of your instance, they're limited users of specific projects. I wouldn't expect to pick a customer as a reporter in a regular Jira project. I would expect the reporter to be the internal contact managing the issue, and to see the JSM tickets linked to the other request for traceability to the customers who are reporting a problem / asking for a solution.
So I think this bug should be fixed even if JRACLOUD-36896 isn't, but if JRACLOUD-36896 is fixed then obviously that would fix this too.
As Rostislav Harazin (very helpfully!) identified above, I believe this issue is a duplicate of JRACLOUD-36896 – Limit User Picker to members of certain groups/roles in System Fields. Although this issue is older, the above one has more votes.
I recommend that watchers of this issue vote on and watch the above issue. So that votes aren't split, I believe this ticket should be closed, but I will wait a week before taking any action in case anyone thinks both issues should continue to exist. Thank you!
Dear Atlassians,
with all due respect to you and your amazing work, from our point of view this should not be a mere feature request. It should be reconsidered as a big bug.
There are many similar reported issues (probably causing a fragmentation of votes) which proves in a way how big privacy concern it is.
- Suggestion: Don't show users (or Portal Only Customer) who doesn't have Jira application access to appear on reporters and project roles list (59 votes)
https://jira.atlassian.com/browse/JSDCLOUD-10055
Created 10/Mar/2011 2:03 PM
-
- It is creating panic among our teams that clients visible in the Reporter field and if selected may provide clients access to our internal discussions, work, etc.
- Suggestion: Limit User Picker to members of certain groups/roles in System Fields (312 votes)
https://jira.atlassian.com/browse/JRACLOUD-36896
Created 07/Feb/2014 1:55 AM (relatedJRASERVER-7659: 16/Aug/2005 4:13 PM)
-
- The typical problem with the "Browse Users" permission is that we, and many others, invite external users (project partners, customers) to their JIRA projects, but cannot give them this permission, as that would disclose other customers/partners one is working with.
-
- It is a big issue and seems like a problem for GDPR that even if you don't have access to another Jira project you can see that project's customer's personal information (name and email address).
- Suggestion: Restrict Reporter Field to only users with Create Issues Permission (51 votes)
https://jira.atlassian.com/browse/JRACLOUD-42446
Created: 13/Mar/2015 1:38 PM
-
- Dangerous - it breaches privacy where issue content is shared in an email notification to the new "reporter"
-
- Confusing - the new "reporter" doesn't understand the reference/relevance to their product support
-
- Time wasting
-
-
- the "reporter" wastes their time in alerting us of the error in selecting the wrong reporter, and
-
-
-
- it wastes our time to understand what has happened and how to appropriately resolve the reporter used in error, and
-
-
-
- it delays the issue resolution if the SD Team member is trying to get further information from who they assume is the intended reporter to fix the issue. *Especially if the issue is a P1 or P2 these delays could be very bad.
-
- Bug: Customer without permission to project can be added as a reporter of a request (7 affected)
https://jira.atlassian.com/browse/JSDCLOUD-8649
Created 28/Nov/2019 12:27 PM (probably much more earlier according to issuekey)
-
- Exposes customer contacts to any Jira user on the system.
-
- External customers could be accidentally associated with others tickets not remotely related to theirs
- Suggestion: Customers shouldn't be suggested on User Picker custom fields on non-Jira Service Management projects (19 votes)
https://jira.atlassian.com/browse/JRACLOUD-76780
Created 07/Jun/2021 4:08 PM
Maybe more.
This also exposes customer contacts to any Jira user on the system. You may not want that info being shared with all teams in your Jira instance
This is somewhat of a major flaw in the reporter field design. If you do not have access you should not be listed
This is a HUGE issue as it is a privacy concern that external customers could be accidentally associated with others tickets not remotely related to theirs. GDPR, CCPA ... I mean take your pick. I'm amazed this issue getting more traction?
After some analysis, we've found that this ticket is a duplicate of the request JSDCLOUD-10055 – Don't show users (or Portal Only Customer) who doesn't have Jira application access to appear on reporters and project roles list which has more votes.
If you disagree with the closing of this ticket, please add a comment here saying why and we can reopen it as needed.