JIRA Forms security
I'm testing forms functionality because seems to be more clearly to use when user complete the fields. The setup issues is for the request for vacations workflow, that i made with custom fields and automations.
But i'm worried about. I share the form by email link for a person that not have access to JIRA and let me entry to form, complete information and create the issue. Project is restricted to some users and forms is restricted to LImited, but let me share by email to person without access to JIRA and are not in project?
Its a security fail? Could yo confirm this functionality?
Thanks
Alejandra
1 answer
Hello @Alejandra Martin
Do I understand correctly that you:
1. Created a Form.
2. Set the Form access to Limited.
3. Got a Link for the form.
4. Gave that link to another person who does not have a Jira License.
5. That user was able to access the form with that link, complete the form, and submit the form without error.
6. An item was created in the Jira project from that form?
What type of project does this concern? Get that information from the Type column on the Projects page. You can reference that page through Projects > More Projects > View All Projects. Example:
Based on the project Type I will have additional questions about the specific permissions configuration for your project.
Hi Trudy!!! Me again with questions. I make the steps you describe above. The project is Company-managed-business. Thanks for your help!
Thank you for that additional information Alejandra.
I have not been able to recreate your problem working with a Company Managed Business project and a Form set to Limited access.
The next thing we should examine is the Permissions for the project.
Go to Project Settings > Permissions. Please share with us the settings for the Create Issue permission. Example:
The project role "atlassian-addons-project-access" is used only by apps and the role membership cannot be modified. So then you would need to look at all the other users, groups, roles, etc. granted that permission and confirm that the user is not a member of any of them.
You should also double check in https://admin.atlassian.com, looking up the user to see if they have any access to your site or your products.
I used the same configuration as above and provided the URL to other users who have Atlassian Cloud accounts and have access to other Atlassian Jira Cloud instances. In all tests the users received a message that they did not have access to my Site and needed to request access.
I also provide the URL to a user that has access to my Jira instance but does not have the Create Issue permission in the target project. In that case the user got the message "You don't have access to this form".
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.