Anonymous caused a status change in Jira -- scary

Running with Jira 5.2.2

My project manager tripped over this, asking why is the Resolution set to "xxxx" when the Status is in a unResolved state. I reviewed the issue's comments and came across:

Anonymous made changes - 02/Aug/13 1:54 PM
Status Resolved [ 5 ] Ready to Submit [ 10001 ]
Rick added a comment - 02/Aug/13 3:45 PM - edited

Please re-open. I tried to re-open and it now appears to be ready to submit

After chatting with Rick, I believe he left his Jira web page up pointing to this issue where one of the transition menus was to "reopen" the issue. He left and later returned, pressed the "reopen" button and did what most busy person -- ignored any errors and continued with his work.

I reviewed the catalina.out log for both Rick and anonymous but there were no logs (errors, warns, info) around that time period. I'm concerned because Anonymous force a state change and that state change for Resolved to "Ready to Submit" has no valid transition to get it there directly.

There are no current questions on this issue but I hoping for some comments or recommendations from the community.

2 answers

1 accepted

Hmmmm. All my workflow transitions have conditions set to control access. There is one transition that goes from "Ready to Submit" to "Resolved" and the conditions on that transition do not allow that user to fire it. There are no transition that directly go from "Resolved" to "Ready to Submit" but the comment above show that Anonymous did do it. I'm using three plugins: ScriptRunner 2.1.11, Subversion 0.10.11.1 and Universal Plugin Manager 2.11 which are all rock solid plugins. I appreciate your responses Nic but for now I'm just going to have to keep a watchful eye on the situtation.

0 vote

Your workflow is missing conditions, such as "only people in the role of user can do this"

A workflow transition with no conditions is executable by absolutely anyone who can see the issue, without logging in. That's what's happened here.

Have a look at the (uneditable) jira default workflow - you'll see it has no transitions without any conditions, there's always at least one enforcing a "user must be logged in because I need to know that they're part of role X"

Good point but the active workflow does not have a transition directly from Resolved to "Ready to Submit" so how did it get there.

It did when the user clicked it. Either that, or you have a plugin that is bypassing the workflow (I'd advise deleting that immediately if that is the case)

Suggest an answer

Log in or Join to answer
Community showcase
Sarah Schuster
Posted Jan 29, 2018 in Jira

What are common themes you've seen across successful & failed Jira Software implementations?

Hey everyone! My name is Sarah Schuster, and I'm a Customer Success Manager in Atlassian specializing in Jira Software Cloud. Over the next few weeks I will be posting discussion topics (8 total) to ...

3,293 views 14 20
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you
Atlassian Team Tour

Join us on the Team Tour

We're bringing product updates and pro tips on teamwork to ten cities around the world.

Save your spot