Details
-
Bug
-
Resolution: Not a bug
-
Low
-
None
-
4.5.4
-
None
-
1
-
Severity 2 - Major
-
Description
Issue Summary
Internal comments on agents view trigger workbox notification in Confluence and are causing security problems in customer environments
Steps to Reproduce
- Have an application link setup configurated using OAuth with Confluence, in this case, v6.13.7
- Create two users with application access and browse project permission only in a Jira Service Desk project
- Create a new ticket
- Add them as watchers in a ticket from the agent view
- Add an internal comment from Jira service desk agent view
- Check workbox notification in confluence by logging in as those users
- Workbox notifications trigger in confluence from Jira only on 'Comments on issues that you are watching' our official documentation Which notifications are included?
Detailed replication steps are in this screen recording: Replication_Steps_JiraServiceDesk.mp4
The same behavior is not replicable in Jira Software when adding restricted comments: Not_replicable_JiraSoftware.mp4
Expected Results
Internal comments should not be triggered as workbox notification in Confluence, should be handled in the same way as done in Jira Software
Actual Results
Internal comments are being triggered to customers as workbox notifications in Confluence, which are causing security problems in customer environments
Workaround
Refer to the heading 'Stopping Jira applications from sending notifications to Confluence' in this KB article Configuring Workbox Notifications
Attachments
Issue Links
- relates to
-
JSDSERVER-3392 Restrict internal comments to only users listed in project roles
- Gathering Interest
- causes
-
JSDSS-115 Loading...