Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Jira Cloud - mobile app. How to prevent mobile users from @mentioning people outside their projects?

PP
PP January 17, 2018

Hello.

I'm a fairly new Cloud JIRA administrator, but I had a bunch of projects, workflows and kanban boards set up.

I have recently made a new project and during the internal testing, User_A told me he could @mention anyone from the whole JIRA instance in comments in Project_A.

I have checked it, and both a Test user belonging to the same groups and having identical permissions and logging in as User_A through the Admin panel I could not reproduce the issue.

Turns out he was using the mobile app the whole time. He gave me a bunch of example names from other projects Project_B and Project_C he has no access to (and users from these projects have no access to the Project_A).

Once I took away "Browse Users" permission from the group he belonged to, he couldn't @mention anyone, neither through web nor through the app. Apparently, for mobile, the description is taken literally ("View and select users or groups from the user picker, and share issues. Users with this permission can see the names of all users and groups on your site."), though for web it is that minus users who have no viewing rights for the issue - which effectively makes it work on "per project" basis (which is great, since Atlassian will not make).

The only setting for mobile I could find was "enable/disable" in the Project Summary screen.

Am I missing something or this is a security bug?

Answer
Watch
Like Be the first to like this
1433 views

3 answers

0 votes
Vasi
Vasi
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
April 5, 2018

@PP,

Thank you very much for all the details, explanation and use case. It is very helpful.

I have already raised it to the Product team responsible and await for their response. We will post further updates in the mentioned bug. However you can reply back here as well if there is anything needed from our side.

Warm regards,
Vasily
Atlassian



Reply
0 votes
Vasi
Vasi
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
April 1, 2018

Hi @PP,

I have checked this bug further and can confirm that it affects Android users as well. I have corrected description and title of the bug:

Users without "Browse Projects" permission are being listed in autocomplete list when mentioning using Jira mobile app

To explain a bit further in details what you are facing:

When it comes to @mention feature, Jira should respect at least 2 rules:

1. "Browse users" permission that you mentioned. This permission controls whether user can use @mention feature at all. Basically, whether it is on or off.

2. If user has "Browse users" permission, this user will be able to mention people that has "Browser project" permissions for this specific project.
It is not expected that having "Browse users" permissions, you can mention anyone regardless of their permissions to the project.

The bug I mentioned is about Jira not respecting second rule when using Jira mobile app.

Let me know if my explanation makes sense, otherwise I will be glad to assist further if you provide any additional details for clarification.

Thank you,
Vasily

View More Comments
PP
PP April 4, 2018

Thank you, Vasily. It is basically what I meant. If you could change the status of the bug to "Verified" or "Awaiting Development" instead of "Open" and add a relevant "Security" label/component it would get fixed faster.

It would also be great if you could make a corresponding bug for the Server version (if the bug affects it, of course), because it would get more views, more votes and would be more likely solved (I've seen requests for JIRA features with over a thousand votes and untouched/"won't implement", so a security bug with less than 10 votes probably won't get looked at).

Please note that I had to turn off the mobile access altogether (because there is no per-project mobile access either) because we cannot afford the lawsuits for showing users from client company/project A the names (i.e. logins in "Name.Surname" format as is considered professional nowadays) from company/project B. Since I've turned it off, most users who browse JIRA on mobile keep posting bunch of wrong attachments if they reply to a notification. Not great.

If I were to supply JIRA to competing companies from the same industry, they could easily check if their competitors are using the product we're supplying. Lawsuits, time and money would be lost. This is a serious security issue and I'm amazed nobody has reported it before.

Like
Reply
0 votes
Vasi
Vasi
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
March 26, 2018

Hi Piotr,

Yes, looking at the description of your case, it is very likely that you are hitting this bug:
Users without "Browse Projects" permission are being listed in autocomplete list when mentioning using iOS app]

You can vote for it and also add comments if you would like to add any details to this bug.

Thank you,
Atlassian


View More Comments
PP
PP March 27, 2018

I'm afraid it's Android and the linked bug is an entirely different bug than mine.

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events