The picker function in /rest/api/2/user/picker allows an anonymous user to conduct queries. If a valid username is queried, the application provides details about the user to include their email address.
The API documentation available here: https://docs.atlassian.com/software/jira/docs/api/REST/6.2/ states that this method cannot be accessed anonymously. Furthermore, the 'anyone' group has been removed from the 'Browse Users' permission in the global permissions, yet the issue persists.
Please assist in restricting the ability of the anonymous user to conduct picker queries through the API.
The request can be performed through curl, web proxy, or even through the web browser. The responses are all the same and are done without authenticating to the application. In fact, when I review the response in burp it even has the following header ‘x-ausername: anonymous’
The permission condition in the latest docs is
Check what browse permissions are set to.
Are you cloud or server? Is your instance public?
I tried this on my server and it allowed anonymous as you said and I couldn’t find an option to prevent it. Some Rest apis are intended to allow anonymous access but the documentation suggests this one isn’t one of those.
maybe one for Atlassian support. Would probably fail most penetration tests for web apps.
I wondered whether it was my connected to my server being a service desk and related to allowing users without accounts to submit tickets.
Thanks for confirming. I tested this on a clean server instance, out of the box. It appears to be a default setting somewhere or a misconfiguration. Unfortunately, I am on a trial instance and do not believe I have the ability to open a ticket with support. Any idea on how this anonymous access can be restricted, through the GUI or the corresponding code on the backend? Thanks for your help.
Connect with like-minded Atlassian users at free events near you!Find an event
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no Community Events near you at the moment.Host an event
You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events