I'm a fairly new Cloud JIRA administrator, but I had a bunch of projects, workflows and kanban boards set up.
I have recently made a new project and during the internal testing, User_A told me he could @mention anyone from the whole JIRA instance in comments in Project_A.
I have checked it, and both a Test user belonging to the same groups and having identical permissions and logging in as User_A through the Admin panel I could not reproduce the issue.
Turns out he was using the mobile app the whole time. He gave me a bunch of example names from other projects Project_B and Project_C he has no access to (and users from these projects have no access to the Project_A).
Once I took away "Browse Users" permission from the group he belonged to, he couldn't @mention anyone, neither through web nor through the app. Apparently, for mobile, the description is taken literally ("View and select users or groups from the user picker, and share issues. Users with this permission can see the names of all users and groups on your site."), though for web it is that minus users who have no viewing rights for the issue - which effectively makes it work on "per project" basis (which is great, since Atlassian will not make).
The only setting for mobile I could find was "enable/disable" in the Project Summary screen.
Am I missing something or this is a security bug?
Yes, looking at the description of your case, it is very likely that you are hitting this bug:
Users without "Browse Projects" permission are being listed in autocomplete list when mentioning using iOS app]
You can vote for it and also add comments if you would like to add any details to this bug.
Hi @Piotr Polewicz,
I have checked this bug further and can confirm that it affects Android users as well. I have corrected description and title of the bug:
Users without "Browse Projects" permission are being listed in autocomplete list when mentioning using Jira mobile app
To explain a bit further in details what you are facing:
When it comes to @mention feature, Jira should respect at least 2 rules:
1. "Browse users" permission that you mentioned. This permission controls whether user can use @mention feature at all. Basically, whether it is on or off.
2. If user has "Browse users" permission, this user will be able to mention people that has "Browser project" permissions for this specific project.
It is not expected that having "Browse users" permissions, you can mention anyone regardless of their permissions to the project.
The bug I mentioned is about Jira not respecting second rule when using Jira mobile app.
Let me know if my explanation makes sense, otherwise I will be glad to assist further if you provide any additional details for clarification.
Thank you, Vasily. It is basically what I meant. If you could change the status of the bug to "Verified" or "Awaiting Development" instead of "Open" and add a relevant "Security" label/component it would get fixed faster.
It would also be great if you could make a corresponding bug for the Server version (if the bug affects it, of course), because it would get more views, more votes and would be more likely solved (I've seen requests for JIRA features with over a thousand votes and untouched/"won't implement", so a security bug with less than 10 votes probably won't get looked at).
Please note that I had to turn off the mobile access altogether (because there is no per-project mobile access either) because we cannot afford the lawsuits for showing users from client company/project A the names (i.e. logins in "Name.Surname" format as is considered professional nowadays) from company/project B. Since I've turned it off, most users who browse JIRA on mobile keep posting bunch of wrong attachments if they reply to a notification. Not great.
If I were to supply JIRA to competing companies from the same industry, they could easily check if their competitors are using the product we're supplying. Lawsuits, time and money would be lost. This is a serious security issue and I'm amazed nobody has reported it before.
Thank you very much for all the details, explanation and use case. It is very helpful.
I have already raised it to the Product team responsible and await for their response. We will post further updates in the mentioned bug. However you can reply back here as well if there is anything needed from our side.
...PermissionsStartOnly=true User=www-data Group=www-data ExecStart=/opt/jira/bin/startup.sh ExecStop=/opt/jira/bin/shutdown.sh TimeoutStartSec=120 TimeoutStopSec=600 PrivateTmp=true [Install] WantedBy...
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG