Problem Statement

Jira is providing HTTP 200 responses to Users with a null body when they try to use the Issues REST API as a customer.

Issue Summary

Customers, in some environments, try to use Jira's API with basic authentication in order to query issues on the system.

In some cases, these customers do not have access to the issue in question but the API response is an HTTP 200. 

Suggestion:

Instead of providing an HTTP 200, Jira should respond with a HTTP 403 instead.

Why This happens:

When the customer tries to use Jira's API, but hits an endpoint that they don't have access to, JSM redirects the user to an accessible Customer Portal. This in turn means that the last response from Jira, to the User, is an HTTP 200 because they were redirected to the Portal and it loaded.