Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Anonymous User can change the state in a JIRA workflow

Michael Osborne
Michael Osborne January 30, 2014

We have enabled Anonymous users to allow people outside R&D to add comments to JIRA issues. The weird side affect of this is our R&D people can now change the workflow state without signing in. How do I stop Anonymous users from changing a workflow state?

Answer
Watch
Like Be the first to like this
334 views

1 answer

0 votes
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
January 30, 2014

Ah, this is a common oversight for new administrators. It really is not obvious, and we've all done it.

Your workflow does not have any "conditions" on the transitions, which leaves them open to any user. Edit your workflow, and for every transition, add at least one condition. "User is in role of User" or "User is in role of developer" are pretty good default ones.

View More Comments
maniacal
maniacal February 6, 2014

Nic,

I don't know if I agree with your assessment that this is an "oversight" for new administrators. We have a LOT of transitions. For one project I think there are close to 50. I don't know if that's good practice, but I think that's irrelevant. There is a "permissions" page for a project. I should be able to set all the permissions for a project from this page. If I have everyone locked out of a project on the permissions page except for a certain team, and someone from another team (or worse, and anonymous user) can execute the workflow of that project, I'd call that a bug.

I understand the need to give people outside your team the permissions to execute workflow transitions (QA team moving something from "In QA" to "Ready for prod" for instance. But those should be the exception. I should be able to, from the permissions tab for my project, set a "default" permssions for transitions in my workflow. Then if the transaction doesn't explicitly state a set of permissions, it falls back to the default.

MG

Like
Nic Brough -Adaptavist-
Nic Brough -Adaptavist-
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
February 6, 2014

Mmm, an "oversight" is an unintentional failure to do, or notice, something that needs dealing with.

In this case, your admins didn't know they need to apply conditions to the workflow.

It is not intuitive, certainly, but it's not a bug. It's a consequence of having a very flexible way of doing permissions. Changing it wouldn't help, but setting it up the way I think you're suggesting in your first paragraph reduces the flexibility.

But, I also agree that there should be a "default" condition setting in the permissions.

I've not thought of it like this before, but your suggestion in your second paragraph is the best way to fix it that I've seen yet. Adding a line to permissions that says something like "can use basic transtion", and then having a fixed condition of "must be allowed basic transition" that is always applied would work very well. As long as your admins remember to add people to the permission (I'd also set a default of "user, developer and admin roles", to make it obvious and help them out)

Like
Reply

Suggest an answer

Log in or Sign up to answer
Jira
Jira Software
TAGS
AUG Leaders

Atlassian Community Events

    See all events