Jira Cloud - mobile app. How to prevent mobile users from @mentioning people outside their projects?

Hello.

I'm a fairly new Cloud JIRA administrator, but I had a bunch of projects, workflows and kanban boards set up.

I have recently made a new project and during the internal testing, User_A told me he could @mention anyone from the whole JIRA instance in comments in Project_A.

I have checked it, and both a Test user belonging to the same groups and having identical permissions and logging in as User_A through the Admin panel I could not reproduce the issue.

Turns out he was using the mobile app the whole time. He gave me a bunch of example names from other projects Project_B and Project_C he has no access to (and users from these projects have no access to the Project_A).

Once I took away "Browse Users" permission from the group he belonged to, he couldn't @mention anyone, neither through web nor through the app. Apparently, for mobile, the description is taken literally ("View and select users or groups from the user picker, and share issues. Users with this permission can see the names of all users and groups on your site."), though for web it is that minus users who have no viewing rights for the issue - which effectively makes it work on "per project" basis (which is great, since Atlassian will not make).

The only setting for mobile I could find was "enable/disable" in the Project Summary screen.

Am I missing something or this is a security bug?

3 answers

This widget could not be displayed.

Hi Piotr,

Yes, looking at the description of your case, it is very likely that you are hitting this bug:
Users without "Browse Projects" permission are being listed in autocomplete list when mentioning using iOS app]

You can vote for it and also add comments if you would like to add any details to this bug.

Thank you,
Atlassian


I'm afraid it's Android and the linked bug is an entirely different bug than mine.

This widget could not be displayed.

Hi @Piotr Polewicz,

I have checked this bug further and can confirm that it affects Android users as well. I have corrected description and title of the bug:

Users without "Browse Projects" permission are being listed in autocomplete list when mentioning using Jira mobile app

To explain a bit further in details what you are facing:

When it comes to @mention feature, Jira should respect at least 2 rules:

1. "Browse users" permission that you mentioned. This permission controls whether user can use @mention feature at all. Basically, whether it is on or off.

2. If user has "Browse users" permission, this user will be able to mention people that has "Browser project" permissions for this specific project.
It is not expected that having "Browse users" permissions, you can mention anyone regardless of their permissions to the project.

The bug I mentioned is about Jira not respecting second rule when using Jira mobile app.

Let me know if my explanation makes sense, otherwise I will be glad to assist further if you provide any additional details for clarification.

Thank you,
Vasily

Thank you, Vasily. It is basically what I meant. If you could change the status of the bug to "Verified" or "Awaiting Development" instead of "Open" and add a relevant "Security" label/component it would get fixed faster.

It would also be great if you could make a corresponding bug for the Server version (if the bug affects it, of course), because it would get more views, more votes and would be more likely solved (I've seen requests for JIRA features with over a thousand votes and untouched/"won't implement", so a security bug with less than 10 votes probably won't get looked at).

Please note that I had to turn off the mobile access altogether (because there is no per-project mobile access either) because we cannot afford the lawsuits for showing users from client company/project A the names (i.e. logins in "Name.Surname" format as is considered professional nowadays) from company/project B. Since I've turned it off, most users who browse JIRA on mobile keep posting bunch of wrong attachments if they reply to a notification. Not great.

If I were to supply JIRA to competing companies from the same industry, they could easily check if their competitors are using the product we're supplying. Lawsuits, time and money would be lost. This is a serious security issue and I'm amazed nobody has reported it before.

This widget could not be displayed.

@Piotr Polewicz,

Thank you very much for all the details, explanation and use case. It is very helpful.

I have already raised it to the Product team responsible and await for their response. We will post further updates in the mentioned bug. However you can reply back here as well if there is anything needed from our side.

Warm regards,
Vasily
Atlassian



Suggest an answer

Log in or Sign up to answer
Atlassian Summit 2018

Meet the community IRL

Atlassian Summit is an excellent opportunity for in-person support, training, and networking.

Learn more
Community showcase
Published Apr 22, 2018 in Jira Software

How-to setup a secured Jira Software 7.9.0 on Ubuntu 16.04.4 in less than 30 minutes

...PermissionsStartOnly=true User=www-data Group=www-data ExecStart=/opt/jira/bin/startup.sh ExecStop=/opt/jira/bin/shutdown.sh TimeoutStartSec=120 TimeoutStopSec=600 PrivateTmp=true [Install] WantedBy...

1,030 views 5 9
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you