[JSWSERVER-24779] BUG: Manage shared team is allowed even if "Shared Team Management" permission is not granted

Type: Bug
Resolution: Unresolved
Priority: Medium (View bug fix roadmap)
Fix Version/s: None
Affects Version/s: 8.20.0, 8.22.0
Component/s: (Advanced Roadmaps) Permissions
Labels:

Introduced in Version:
8.2
Support reference count:
2
Symptom Severity:
Severity 2 - Major
UIS:
1
Bug Fix Policy:
View Atlassian Server bug fix policy

Expected Behavior

Only users with "Shared Team Management" are able to edit a shared team, or share a presently private team.

Actual Behavior

Any user with access to a plan in which any team is added can modify that team - regardless of it being shared or private - or share a private team.

Steps to Reproduce

Create any team and add it to a plan accessible by any user;
Access the plan as a user without "Shared Team Management" permission;

Workaround

There is no known workaround at this time.

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List

image-2018-01-10-12-25-33-240.png
11 kB
10/Jan/2018 11:25 AM

relates to

JSWSERVER-25253 Add possibility to unshare a team.

Under Consideration

JPOS-1673 You do not have permission to view this issue

links to

Internal ticket

mentioned in: Page Failed to load; Page Failed to load

Form Name

Aakrity Tibrewal added a comment - 09/Oct/2023 12:17 PM

Dear all,
I would like to inform you that this issue in the project JPOSERVER is being migrated to the new project JSWSERVER. Your votes and comments will remain unchanged.
Our team at Atlassian will continue to monitor this issue for further updates, so please feel free to share your thoughts or feedback in the comments.
Sincerely,
Aakrity Tibrewal
Jira DC

Aakrity Tibrewal added a comment - 09/Oct/2023 12:17 PM Dear all, I would like to inform you that this issue in the project JPOSERVER is being migrated to the new project JSWSERVER. Your votes and comments will remain unchanged. Our team at Atlassian will continue to monitor this issue for further updates, so please feel free to share your thoughts or feedback in the comments. Sincerely, Aakrity Tibrewal Jira DC

Matthias Krauss added a comment - 20/Feb/2020 7:44 AM - edited

Hello @qfeyaerts

is there any advice how users should proceed, now after you closed this issue?

On the one hand we are even happy that it won't be changed, as this bug was kind of the only way to use Teams in Jira (not Portfolio) without giving thousands of users the shared team mgmt persmission (which cannot be done as that admin interface is rather rudimentary, everybody could change delete teams of others without notice)

BR

Matthias Krauss added a comment - 20/Feb/2020 7:44 AM - edited Hello @qfeyaerts is there any advice how users should proceed, now after you closed this issue? On the one hand we are even happy that it won't be changed, as this bug was kind of the only way to use Teams in Jira (not Portfolio) without giving thousands of users the shared team mgmt persmission (which cannot be done as that admin interface is rather rudimentary, everybody could change delete teams of others without notice) BR

Markus Dieterle added a comment - 22/Feb/2018 3:33 PM - edited

Exactly the same Issue here v 2.10.0

Portfolio Users also cannot be reduced due to this missing function: https://jira.atlassian.com/browse/JPOSERVER-1681

It is also not possible to unshare the teams, I would have to delete them : (https://jira.atlassian.com/browse/JPOSERVER-1544 ).

Markus Dieterle added a comment - 22/Feb/2018 3:33 PM - edited Exactly the same Issue here v 2.10.0 Portfolio Users also cannot be reduced due to this missing function: https://jira.atlassian.com/browse/JPOSERVER-1681 It is also not possible to unshare the teams, I would have to delete them : ( https://jira.atlassian.com/browse/JPOSERVER-1544 ).

Eryk Leniart added a comment - 10/Jan/2018 4:20 PM

REST endpoint responsible for sharing portfolio team is not limited to Jira administrators or users with 'Shared Team Management' permission.

Every Jira user is able to send POST request to: /rest/teams/1.0/teams/{team_id}/setShared and share any team !

Eryk Leniart added a comment - 10/Jan/2018 4:20 PM REST endpoint responsible for sharing portfolio team is not limited to Jira administrators or users with 'Shared Team Management' permission. Every Jira user is able to send POST request to: /rest/teams/1.0/teams/{team_id}/setShared and share any team !

Details

Description

Expected Behavior

Actual Behavior

Steps to Reproduce

Workaround

Attachments

Attachments

Issue Links

Forms

Activity

Collapse comment: Aakrity Tibrewal added a comment - 09/Oct/2023 12:17 PM

Expand comment: Aakrity Tibrewal added a comment - 09/Oct/2023 12:17 PM

Collapse comment: Matthias Krauss added a comment - 20/Feb/2020 7:44 AM, Edited by Matthias Krauss - 20/Feb/2020 7:45 AM

Expand comment: Matthias Krauss added a comment - 20/Feb/2020 7:44 AM, Edited by Matthias Krauss - 20/Feb/2020 7:45 AM

Collapse comment: Markus Dieterle added a comment - 22/Feb/2018 3:33 PM, Edited by Markus Dieterle - 13/Apr/2018 8:09 AM

Expand comment: Markus Dieterle added a comment - 22/Feb/2018 3:33 PM, Edited by Markus Dieterle - 13/Apr/2018 8:09 AM

Collapse comment: Eryk Leniart added a comment - 10/Jan/2018 4:20 PM

Expand comment: Eryk Leniart added a comment - 10/Jan/2018 4:20 PM

People

Dates