-
Bug
-
Resolution: Fixed
-
Low
-
4.0.0, 4.20.0, 5.0.0, 5.12.0
-
None
-
1
-
Severity 3 - Minor
-
Issue Summary
This is reproducible on Data Center: yes
Steps to Reproduce
- Close a JSM ticket
- Respond to the feedback survey
- Check that the access log records the feedback token
- Use this same URL to change the feedback
Expected Results
- Jira would either not send the feedback token as path parameter on the URL
or - Jira would expire the token after being used
Actual Results
The same token can be used to change the feedback on the ticket.
Workaround
So far, the possible workarounds are:
- Restrict the access to Jira's access log to only the Jira process user (and sysadmins)
- Rely on the change history of Issues to spot suspicious changes to the survey date
This example SQL prints all changes of issues that have had at least one change to the satisfaction response date:
with csat_changes as ( select distinct cg.issueid from changeitem ci join changegroup cg on cg.id = ci.groupid where ci.field = 'Satisfaction date' and ci.oldvalue is not null ) select i.id as "Issue Id", concat(p.pkey, concat('-', i.issuenum)) as "Issue Key", cg.created as "Change date", ci.oldvalue as "Old value", ci.newvalue as "New value" from changeitem ci join changegroup cg on cg.id = ci.groupid join csat_changes csat on csat.issueid = cg.issueid join jiraissue i on i.id = cg.issueid join project p on p.id = i.project where ci.field = 'Satisfaction date' order by "Issue Key", cg.created;
Sample output:
Issue Id | Issue Key | Change date | Old value | New value ----------+-----------+----------------------------+--------------------------+-------------------------- 10201 | JSM-2 | 2024-02-23 01:14:51.063+00 | | 2024-02-23T01:14:51+0000 10201 | JSM-2 | 2024-02-23 01:14:58.052+00 | 2024-02-23T01:14:51+0000 | 2024-02-23T01:14:58+0000 10201 | JSM-2 | 2024-02-23 01:15:01.225+00 | 2024-02-23T01:14:58+0000 | 2024-02-23T01:15:01+0000
- relates to
-
JSDSERVER-4056 Expire Satisfaction Feedback Token
- Gathering Interest