Anonymous caused a status change in Jira -- scary

Running with Jira 5.2.2

My project manager tripped over this, asking why is the Resolution set to "xxxx" when the Status is in a unResolved state. I reviewed the issue's comments and came across:

Anonymous made changes - 02/Aug/13 1:54 PM
Status Resolved [ 5 ] Ready to Submit [ 10001 ]
Rick added a comment - 02/Aug/13 3:45 PM - edited

Please re-open. I tried to re-open and it now appears to be ready to submit

After chatting with Rick, I believe he left his Jira web page up pointing to this issue where one of the transition menus was to "reopen" the issue. He left and later returned, pressed the "reopen" button and did what most busy person -- ignored any errors and continued with his work.

I reviewed the catalina.out log for both Rick and anonymous but there were no logs (errors, warns, info) around that time period. I'm concerned because Anonymous force a state change and that state change for Resolved to "Ready to Submit" has no valid transition to get it there directly.

There are no current questions on this issue but I hoping for some comments or recommendations from the community.

2 answers

1 accepted

0 votes
Accepted answer

Hmmmm. All my workflow transitions have conditions set to control access. There is one transition that goes from "Ready to Submit" to "Resolved" and the conditions on that transition do not allow that user to fire it. There are no transition that directly go from "Resolved" to "Ready to Submit" but the comment above show that Anonymous did do it. I'm using three plugins: ScriptRunner 2.1.11, Subversion and Universal Plugin Manager 2.11 which are all rock solid plugins. I appreciate your responses Nic but for now I'm just going to have to keep a watchful eye on the situtation.

0 votes

Your workflow is missing conditions, such as "only people in the role of user can do this"

A workflow transition with no conditions is executable by absolutely anyone who can see the issue, without logging in. That's what's happened here.

Have a look at the (uneditable) jira default workflow - you'll see it has no transitions without any conditions, there's always at least one enforcing a "user must be logged in because I need to know that they're part of role X"

Good point but the active workflow does not have a transition directly from Resolved to "Ready to Submit" so how did it get there.

It did when the user clicked it. Either that, or you have a plugin that is bypassing the workflow (I'd advise deleting that immediately if that is the case)

Suggest an answer

Log in or Sign up to answer
Community showcase
Published Jan 08, 2019 in Jira

How to Jira for designers

I’m a designer on the Jira team. For a long time, I’ve fielded questions from other designers about how they should be using Jira Software with their design team. I’ve also heard feedback from other ...

1,216 views 5 10
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you