Uploaded image for project: 'Jira Service Management Data Center'
  1. Jira Service Management Data Center
  2. JSDSERVER-6822

Internal comments on agents view trigger workbox notification in Confluence

    • Icon: Bug Bug
    • Resolution: Not a bug
    • Icon: Low Low
    • None
    • 4.5.4
    • Email - Outgoing
    • None

      Issue Summary

      Internal comments on agents view trigger workbox notification in Confluence and are causing security problems in customer environments

      Steps to Reproduce

      1. Have an application link setup configurated using OAuth with Confluence, in this case, v6.13.7
      2. Create two users with application access and browse project permission only in a Jira Service Desk project
      3. Create a new ticket
      4. Add them as watchers in a ticket from the agent view
      5. Add an internal comment from Jira service desk agent view
      6. Check workbox notification in confluence by logging in as those users
      7. Workbox notifications trigger in confluence from Jira only on 'Comments on issues that you are watching' our official documentation Which notifications are included? 

      Detailed replication steps are in this screen recording: Replication_Steps_JiraServiceDesk.mp4

      The same behavior is not replicable in Jira Software when adding restricted comments: Not_replicable_JiraSoftware.mp4

      Expected Results

      Internal comments should not be triggered as workbox notification in Confluence, should be handled in the same way as done in Jira Software

      Actual Results

      Internal comments are being triggered to customers as workbox notifications in Confluence, which are causing security problems in customer environments

      Workaround

      Refer to the heading 'Stopping Jira applications from sending notifications to Confluence' in this KB article Configuring Workbox Notifications 

          Form Name

            [JSDSERVER-6822] Internal comments on agents view trigger workbox notification in Confluence

            Karan Ahuja made changes -
            Remote Link Original: This issue links to "JSDSS-115 (Bulldog)" [ 479867 ] New: This issue links to "JSDSS-115 (JIRA Server (Bulldog))" [ 479867 ]
            Sriteja Kattamuru (Inactive) made changes -
            Comment [ A comment with security level 'atlassian-staff' was removed. ]

            andrey.oleynik1934811064 JSD can be used to help agents work with developers, which we refer to as collaborators. In this case, we would expect them to be able to view the internal discussion, as it often provides useful context for a developer.

            If you support internal users, they can still raise requests via the customer portal and interact with JSD as an external customer would. As mentioned under "The easiest way to collaborate", you can add users as request participants, which would also allow them to interact with requests raised without requiring the browse projects permission.

            Hope this helps.

            Aidan Goldthorpe added a comment - andrey.oleynik1934811064 JSD can be used to help agents work with developers, which we refer to as collaborators. In this case, we would expect them to be able to view the internal discussion, as it often provides useful context for a developer. If you support internal users, they can still raise requests via the customer portal and interact with JSD as an external customer would. As mentioned under "The easiest way to collaborate", you can add users as request participants, which would also allow them to interact with requests raised without requiring the browse projects permission. Hope this helps.

            Please comment on this article: https://confluence.atlassian.com/servicedeskserver/collaborate-with-other-jira-teams-on-jira-service-desk-issues-950813501.html

            How to work with Collaborators without permission to view projects

            Andrey Oleynik added a comment - Please comment on this article: https://confluence.atlassian.com/servicedeskserver/collaborate-with-other-jira-teams-on-jira-service-desk-issues-950813501.html How to work with Collaborators without permission to view projects
            Aidan Goldthorpe made changes -
            Link New: This issue relates to JSDSERVER-3392 [ JSDSERVER-3392 ]

            Andrey Oleynik added a comment - - edited

            We support users of the JIRA Software (for us, they are Customers) and every user who created a request in JIRA Service Desk can view their requests through JIRA Software.

            Andrey Oleynik added a comment - - edited We support users of the JIRA Software (for us, they are Customers) and every user who created a request in JIRA Service Desk can view their requests through JIRA Software.
            Aidan Goldthorpe made changes -
            Resolution New: Not a bug [ 12 ]
            Status Original: Needs Triage [ 10030 ] New: Closed [ 6 ]

            If users have browse projects for the JSD project (as is required for them to become watchers on an issue), this means they would be able to view the internal comment on this issue regardless. This means the notifications being propagated to Confluence is not a bug

            Aidan Goldthorpe added a comment - If users have browse projects for the JSD project (as is required for them to become watchers on an issue), this means they would be able to view the internal comment on this issue regardless. This means the notifications being propagated to Confluence is not a bug
            Aidan Goldthorpe made changes -
            Remote Link New: This issue links to "JSDSS-115 (Bulldog)" [ 479867 ]
            Aidan Goldthorpe made changes -
            Attachment New: Screen Shot 2020-04-21 at 2.46.16 pm.png [ 387175 ]

              Unassigned Unassigned
              skattamuru@atlassian.com Sriteja Kattamuru (Inactive)
              Affected customers:
              0 This affects my team
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: