-
Bug
-
Resolution: Not a bug
-
Low
-
None
-
4.5.4
-
None
-
1
-
Severity 2 - Major
-
Issue Summary
Internal comments on agents view trigger workbox notification in Confluence and are causing security problems in customer environments
Steps to Reproduce
- Have an application link setup configurated using OAuth with Confluence, in this case, v6.13.7
- Create two users with application access and browse project permission only in a Jira Service Desk project
- Create a new ticket
- Add them as watchers in a ticket from the agent view
- Add an internal comment from Jira service desk agent view
- Check workbox notification in confluence by logging in as those users
- Workbox notifications trigger in confluence from Jira only on 'Comments on issues that you are watching' our official documentation Which notifications are included?
Detailed replication steps are in this screen recording: Replication_Steps_JiraServiceDesk.mp4
The same behavior is not replicable in Jira Software when adding restricted comments: Not_replicable_JiraSoftware.mp4
Expected Results
Internal comments should not be triggered as workbox notification in Confluence, should be handled in the same way as done in Jira Software
Actual Results
Internal comments are being triggered to customers as workbox notifications in Confluence, which are causing security problems in customer environments
Workaround
Refer to the heading 'Stopping Jira applications from sending notifications to Confluence' in this KB article Configuring Workbox Notifications
- relates to
-
JSDSERVER-3392 Restrict internal comments to only users listed in project roles
- Gathering Interest
- causes
-
JSDSS-115 You do not have permission to view this issue
| Form Name | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
[JSDSERVER-6822] Internal comments on agents view trigger workbox notification in Confluence
| Remote Link | Original: This issue links to "JSDSS-115 (Bulldog)" [ 479867 ] | New: This issue links to "JSDSS-115 (JIRA Server (Bulldog))" [ 479867 ] |
| Comment | [ A comment with security level 'atlassian-staff' was removed. ] |
Please comment on this article: https://confluence.atlassian.com/servicedeskserver/collaborate-with-other-jira-teams-on-jira-service-desk-issues-950813501.html
How to work with Collaborators without permission to view projects
| Link | New: This issue relates to JSDSERVER-3392 [ JSDSERVER-3392 ] |
We support users of the JIRA Software (for us, they are Customers) and every user who created a request in JIRA Service Desk can view their requests through JIRA Software.
| Resolution | New: Not a bug [ 12 ] | |
| Status | Original: Needs Triage [ 10030 ] | New: Closed [ 6 ] |
If users have browse projects for the JSD project (as is required for them to become watchers on an issue), this means they would be able to view the internal comment on this issue regardless. This means the notifications being propagated to Confluence is not a bug
| Remote Link | New: This issue links to "JSDSS-115 (Bulldog)" [ 479867 ] |
| Attachment | New: Screen Shot 2020-04-21 at 2.46.16 pm.png [ 387175 ] |
andrey.oleynik1934811064 JSD can be used to help agents work with developers, which we refer to as collaborators. In this case, we would expect them to be able to view the internal discussion, as it often provides useful context for a developer.
If you support internal users, they can still raise requests via the customer portal and interact with JSD as an external customer would. As mentioned under "The easiest way to collaborate", you can add users as request participants, which would also allow them to interact with requests raised without requiring the browse projects permission.
Hope this helps.