[JSDSERVER-6082] Opening an attachment linked using link notation (with pipeline) on Customer portal results in 403 Forbidden error

Type: Bug
Resolution: Fixed
Priority: Highest
Fix Version/s: 3.16.2, 4.1.0
Affects Version/s: 3.15.1, 3.16.1
Component/s: Customer Portal
Labels:
- cqt

Fixed in Long Term Support Release/s:

Download 3.16
Support reference count:
17
Symptom Severity:
Severity 2 - Major
UIS:
51
Bug Fix Policy:
View Atlassian Server bug fix policy

Summary

Opening an attachment on Customer portal that was linked using link notation (with pipeline) results in 403 Forbidden error

Steps to Reproduce

As an agent:

Log in as an agent and open a ticket
Attach a file and refer to it in a comment using pipeline:
```
[Example|^example.txt]
```
The file gets attached:

As a customer:

Access the ticket via Customer portal
Open the attached file

Expected Results

Customer on the portal is able to access the attachment.

Actual Results

Customer on the portal is not able to access the attachments as the 403 Forbidden error gets displayed:

Workaround

Avoid using pipeline notation for link by attaching the file using the following notation:

 [^example.txt]

Note

– The file can be accessed through the agent view
– This cannot be reproduced on some earlier versions (tested on Service Desk 3.11.1)

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List

screenshot-1.png
7 kB
17/Oct/2018 9:11 AM
screenshot-2.png
17 kB
17/Oct/2018 9:11 AM

is duplicated by

JSDSERVER-6115 Attachments publicly shared by an Agent with some specific dimensions can't be seen from the customer portal

Closed

JSDSERVER-6151 Attachment with Alias is not downloadable from Portal

Closed

is related to

JSDSERVER-6115 Attachments publicly shared by an Agent with some specific dimensions can't be seen from the customer portal

Closed

JSDSERVER-6151 Attachment with Alias is not downloadable from Portal

Closed

is cloned by: JSMDC-3502 You do not have permission to view this issue

mentioned in: Page Loading...

(1 mentioned in)

Form Name

Rodrigo Jose Zaparoli made changes - 30/Aug/2023 12:57 PM

Remote Link

Original: This issue links to "JSDS-3502 (Bulldog)" [ 409988 ]

New: This issue links to "JSMDC-3502 (JIRA Server (Bulldog))" [ 409988 ]

set-jac-bot made changes - 22/May/2020 8:10 AM

Fixed in Enterprise Release/s

New: [Download 3.16|https://confluence.atlassian.com/enterprise/atlassian-enterprise-releases-948227420.html]

Manuel Jesús Morión Barea added a comment - 24/Apr/2019 3:10 PM - edited

Hi,

I want to share the workaround I have develop for this bug.

I discovered that if the linked file is also linked in another comment without alias, the links with alias works.

With that info, I have created a Script Runner Listener on comment creation and comment edition of Service Desk projects.

If a public comment is created or edited, and that comment contains file links with alias, the script cretes a new comment only with the linked files, but this time without alias:

import com.atlassian.jira.bc.issue.comment.property.CommentPropertyService
import com.atlassian.jira.component.ComponentAccessor
import com.atlassian.jira.event.issue.IssueEvent
import com.atlassian.jira.issue.comments.Comment
import groovy.json.JsonSlurper
import java.util.regex.*

final SD_PUBLIC_COMMENT = "sd.public.comment"

def event = event as IssueEvent
def user = event.getUser()
def comment = event.getComment()
def commentPropertyService = ComponentAccessor.getComponent(CommentPropertyService)

def isInternal = { Comment c ->
  def commentProperty = commentPropertyService.getProperty(user, c.id, SD_PUBLIC_COMMENT)
  .getEntityProperty().getOrNull()

  if (commentProperty) {
    def props = new JsonSlurper().parseText(commentProperty.getValue())
    props['internal'].toBoolean()
  } else {
    null
  }
}

if (comment && !isInternal(comment)) {
  String txt = comment.getBody()

  def files = []
  Pattern filepat = Pattern.compile("\\[.*\\|\\^(.*)\\]")
  Matcher m = filepat.matcher(txt)
  while (m.find()) {
    files << "[^"+m.group(1)+"]"
  }

  if(files){
    def commentManager = ComponentAccessor.getCommentManager()
    commentManager.create(issue, comment.getAuthor(), files.join("\n"), false)
  }
}

This way, the original alias link works ok.

I hope this may help.

Regards.

Manuel Jesús Morión Barea added a comment - 24/Apr/2019 3:10 PM - edited Hi, I want to share the workaround I have develop for this bug. I discovered that if the linked file is also linked in another comment without alias, the links with alias works. With that info, I have created a Script Runner Listener on comment creation and comment edition of Service Desk projects. If a public comment is created or edited, and that comment contains file links with alias, the script cretes a new comment only with the linked files, but this time without alias: import com.atlassian.jira.bc.issue.comment.property.CommentPropertyService import com.atlassian.jira.component.ComponentAccessor import com.atlassian.jira.event.issue.IssueEvent import com.atlassian.jira.issue.comments.Comment import groovy.json.JsonSlurper import java.util.regex.* final SD_PUBLIC_COMMENT = "sd. public .comment" def event = event as IssueEvent def user = event.getUser() def comment = event.getComment() def commentPropertyService = ComponentAccessor.getComponent(CommentPropertyService) def isInternal = { Comment c -> def commentProperty = commentPropertyService.getProperty(user, c.id, SD_PUBLIC_COMMENT) .getEntityProperty().getOrNull() if (commentProperty) { def props = new JsonSlurper().parseText(commentProperty.getValue()) props[ 'internal' ].toBoolean() } else { null } } if (comment && !isInternal(comment)) { String txt = comment.getBody() def files = [] Pattern filepat = Pattern.compile( "\\[.*\\|\\^(.*)\\]" ) Matcher m = filepat.matcher(txt) while (m.find()) { files << "[^" +m.group(1)+ "]" } if (files){ def commentManager = ComponentAccessor.getCommentManager() commentManager.create(issue, comment.getAuthor(), files.join( "\n" ), false ) } } This way, the original alias link works ok. I hope this may help. Regards.

Julien Rey made changes - 12/Apr/2019 1:09 PM

Remote Link

New: This issue links to "Page (Confluence)" [ 419502 ]

moofoo (Inactive) made changes - 10/Apr/2019 4:51 AM

Fix Version/s

Original: 4.0.3 [ 85793 ]

Lachlan G (Inactive) made changes - 10/Apr/2019 4:50 AM

Resolution		New: Fixed [ 1 ]
Status	Original: Waiting for Release [ 12075 ]	New: Closed [ 6 ]

Bugfix Automation Bot made changes - 09/Apr/2019 10:01 PM

Support reference count

Original: 16

New: 17

SET Analytics Bot made changes - 09/Apr/2019 1:45 AM

UIS

Original: 116

New: 51

Lachlan G (Inactive) made changes - 08/Apr/2019 5:19 AM

Fix Version/s

New: 4.1.0 [ 85506 ]

SET Analytics Bot made changes - 04/Apr/2019 12:23 AM

UIS

Original: 110

New: 116

Assignee:: Aliaksei Melnikau (Inactive)

Reporter:: Marko Filipan

Affected customers:: 19 This affects my team

Watchers:: 26 Start watching this issue

Created:: 17/Oct/2018 9:10 AM

Updated:: 30/Aug/2023 12:57 PM

Resolved:: 10/Apr/2019 4:50 AM

Details

Description

Summary

Steps to Reproduce

Expected Results

Actual Results

Workaround

Note

Attachments

Attachments

Issue Links

Forms

Activity

Collapse comment: Manuel Jesús Morión Barea added a comment - 24/Apr/2019 3:10 PM, Edited by Manuel Jesús Morión Barea - 24/Apr/2019 3:31 PM

Expand comment: Manuel Jesús Morión Barea added a comment - 24/Apr/2019 3:10 PM, Edited by Manuel Jesús Morión Barea - 24/Apr/2019 3:31 PM

People

Dates

Backbone Issue Sync