Asset customfield displays Objects Label for users without Asset objects access.

XMLWordPrintable

    • 1
    • Severity 3 - Minor

      Issue Summary

      The labels of objects are displayed in the asset custom field for users who do not have access to the asset objects.

      Steps to Reproduce

      • Create a schema and configure roles to ensure that only Jira administrator users are included in all three roles.

      • Within the schema, proceed by creating an object type and then adding a new attribute named "Email," setting it as a label.

      • Create a custom field of type Asset objects and select the previously created schema. Then, in the Object attributes section on the Issue view, enable the Email attribute.

      • Create a Jira issue using the admin user and select the asset object in the custom field. As expected, the object will be displayed on the issue view screen as shown below.

      • Please log in to Jira using a different user who is part of the jira-servicedesk-users group, and then open the same issue created in previous step.

      In the given situation, it's evident that the user, being a part of the jira-servicedesk-users group and lacking access to the object schema as users, is unable to retrieve all attributes of the object. Consequently, an error message indicating unauthorized access to view the content of this custom field is displayed. This behavior aligns with expectations based on the design.

      However, upon reviewing the screenshot provided above, it becomes apparent that users belonging to the jira-servicedesk-users group - including this particular user - are able to view label values associated with objects despite not having permission to access their content. In this instance, where an email address is exposed as a label value without proper authorization, there are security concerns that warrant reporting this as a bug.

      Ideally in such scenarios, attributes designated as labels should remain concealed from unauthorized users.

      Expected Results

      The label attribute values should not be visible to users who are not part of the schema-users group.

      Actual Results

      Users who are not members of the schema users group can still view the attribute that is designated as a label.

      Workaround

      Set a label attribute that does not contain any sensitive or personally identifiable information. However, please note that this may not be feasible in all cases.

       

        1. image-2024-04-15-11-47-47-366.png
          74 kB
          Navneeth S
        2. image-2024-04-15-11-51-19-067.png
          20 kB
          Navneeth S
        3. image-2024-04-15-11-54-24-443.png
          209 kB
          Navneeth S
        4. image-2024-04-15-11-56-31-099.png
          106 kB
          Navneeth S
        5. image-2024-04-15-11-58-02-761.png
          106 kB
          Navneeth S
        6. image-2024-04-15-12-01-11-442.png
          150 kB
          Navneeth S
        7. image-2024-04-29-09-32-45-116.png
          64 kB
          Benjamin Suess

            Assignee:
            Mingyi Yang
            Reporter:
            Navneeth S
            Votes:
            1 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: