[JSDSERVER-6429] When the 'Any logged in user' permission is added to 'Browse Project' permission in a Service Desk project, customer will automatically receive notifications when mentioned in an internal comment.

Type: Bug
Resolution: Fixed
Priority: Medium
Fix Version/s: 5.11.0, 5.4.10, 5.10.2, 5.12.0
Affects Version/s: 3.15.3, 4.4.1, 4.20.13
Component/s: Customer Notification
Labels:

Support reference count:
7
Symptom Severity:
Severity 3 - Minor
UIS:
0
Bug Fix Policy:
View Atlassian Server bug fix policy

Issue Summary

When the 'Any logged in user' permission is added to 'Browse Project' permission in a Service Desk project, customer will automatically receive notifications when mentioned in an internal comment.

Steps to Reproduce

Test Case1:

Create a Service Desk project.
Head to project settings > Permission Scheme.
Add the 'Application Access' > 'Any logged in user' permission in the 'Browse Project' permission
Head to an issue, then, mention a customer in the ticket.

Test Case 2:

The customer creates the following ticket “SD Test 1”
Head to project settings > Permission Scheme.
Add "Reporter" to the 'Browse Project' permission
The Agent add an Internal Comment and mentioned The customer in the internal comment

Expected Results

Customer will not be receiving any notifications when an internal comment is added.

Actual Results

Customer receives notification when an internal comment is added.

Workaround

For Test Case1:

Remove the 'Any logged in user' permission in the 'Browse Project' permission of project,

For Test Case2:

As a workaround for this, you can use "Service project customer - portal access" and remove the Reporter from Browse permission, then the notification won't be sent when the reporter is mentioned in the internal comment.

is duplicated by

JRASERVER-75543 View all Project: Incorrect reading order

Closed

is related to

JRASERVER-76986 Jira does not publish Issue ID with Mention Event, which downstream affects JSM filtering

Closed

mentioned in: Page Failed to load

Form Name

Alex Cooksey added a comment - 07/Sep/2023 4:52 AM

Hey a50e972304de!

Sorry I missed your initial comment. JSM 5.4.10 has just been released - this fix should now be available for you now.

Thanks for your feedback and interest in this issue, please get in touch if theres anything more we can support on.

Alex

Alex Cooksey added a comment - 07/Sep/2023 4:52 AM Hey a50e972304de ! Sorry I missed your initial comment. JSM 5.4.10 has just been released - this fix should now be available for you now. Thanks for your feedback and interest in this issue, please get in touch if theres anything more we can support on. Alex

Kevin Dekan added a comment - 30/Aug/2023 9:40 AM

Any news on the release date for 5.4.10?

Kevin Dekan added a comment - 30/Aug/2023 9:40 AM Any news on the release date for 5.4.10?

Kevin Dekan added a comment - 23/Mar/2023 4:54 PM

@Atlassian are you aware that this is a serious information security issue? Internal comments are leaked to external parties, I would not dare to classify this as "minor".

Kevin Dekan added a comment - 23/Mar/2023 4:54 PM @Atlassian are you aware that this is a serious information security issue? Internal comments are leaked to external parties, I would not dare to classify this as "minor".

Kevin Dekan added a comment - 28/Feb/2023 8:22 AM

Dear Atlassian,

I think it is irresponsible to leave a bug unresolved for nearly four years.

I think you should raise the priority for this bug and start working on a solution, because this is a serious risk for us and any other company in the EU - have you heard of GDPR?

Thanks!

Kevin Dekan added a comment - 28/Feb/2023 8:22 AM Dear Atlassian, I think it is irresponsible to leave a bug unresolved for nearly four years. I think you should raise the priority for this bug and start working on a solution, because this is a serious risk for us and any other company in the EU - have you heard of GDPR? Thanks!

Assignee:: Sam Xu

Reporter:: Putri Nur Dayana Kamarudin (Inactive)

Affected customers:: 4 This affects my team

Watchers:: 9 Start watching this issue

Created:: 20/Jun/2019 8:27 AM

Updated:: 26/Jan/2024 4:27 PM

Resolved:: 30/Aug/2023 2:41 PM

Details

Description

Issue Summary

Steps to Reproduce

Expected Results

Actual Results

Workaround

Attachments

Issue Links

Forms

Activity

Collapse comment: Alex Cooksey added a comment - 07/Sep/2023 4:52 AM

Expand comment: Alex Cooksey added a comment - 07/Sep/2023 4:52 AM

Collapse comment: Kevin Dekan added a comment - 30/Aug/2023 9:40 AM

Expand comment: Kevin Dekan added a comment - 30/Aug/2023 9:40 AM

Collapse comment: Kevin Dekan added a comment - 23/Mar/2023 4:54 PM

Expand comment: Kevin Dekan added a comment - 23/Mar/2023 4:54 PM

Collapse comment: Kevin Dekan added a comment - 28/Feb/2023 8:22 AM

Expand comment: Kevin Dekan added a comment - 28/Feb/2023 8:22 AM

People

Dates

Backbone Issue Sync