Filter permissions question

Is there an reason why only the owner of the filter can edit the filter?

 

From a security standpoint it adds an additional 3 steps per filter to edit in the event that an user accidentally share a filter with the Global ("Everyone") setting.  An admin cannot just edit the filter to change it to a compliant share setting, without changing the owner, then find the dashboard, edit the permission, then change the owner back to the original owner.  Filters are prone to being accidentally shared externally because the first share option is "Everyone" which is the Global setting.  We are able to setup monitoring via unauthenticated queries against the vulnerable manage filter endpoint https://site.atlassian.net/secure/ManageFilters.jspa?filterView=search

 

Using the API as a proof of concept on a filter that I own it's possible to do a 

GET /rest/api/2/filter/{id}/permission

If JSON.parse(response.body)[0]['type'] == 'Global'

DELETE /rest/api/2/filter/{id}/permission/JSON.parse(respones.body)[0]['id']

POST /rest/api/2/filter/{id}/permission request.body={type: 'group', groupname: 'jira-administrators'}.to_json

end

 

However when the owner of the filter is not an admin this does not work.  I'm trying to get over 100 filters corrected on a weekly basis since the users do not understand that sharing the filter with everyone results in the filters being exposed to the world.  

 

1 answer

Are you concerned that users will get access to data they should not see if filters are shared accidently?

If so, then maybe you should look are your permission schemes. The filters will respect these and even if the filter is available to someone they will need to have the correct permissions to allow them to view the data.

Suggest an answer

Log in or Join to answer
Community showcase
Teodora [Botron]
Published Thursday in Marketplace Apps

Jira Inferno: The Nine Circles of Jira Administration Hell

If you spend enough time as a Jira admin - whether you are managing a single, mid-sized instance, a large enterprise one or juggling multiple instances at once - you will eventually find yourself in ...

476 views 1 15
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you
Atlassian Team Tour

Join us on the Team Tour

We're bringing product updates and pro tips on teamwork to ten cities around the world.

Save your spot