[JIRA] Anonymous user can resolve and reopen issues. Why?

I'd also add that in Jira 6.3+, there is a new permission called something like "Can use transitions". This fixes the default "anyone can use a transition if they can see the issue" problem so you don't have to worry about it any more. Despite saying that it fixes it, I would still STRONGLY recommend that you think about your conditions while working with workflows at all times.

Thanks all for fast answers! We are using JIRA v6.0.4.

I checked my problem project, its indeed has a custom workflow. I check a transition "Reopen", it has no any conditions. I add one: "Only the assignee of the issue can execute this transition." but it didnt help. Anonymous still can see "Reopen" button and can click it, and issue is reopened in this case. 

I also checked our default workflow which is used in the most of our projects. "Reopened" transition in it doesnt have any conditions but projects which use this workflow doesnt show "Reopen" button for anonymous.

Joseph, it not very obvious practice that if users can view an issue then they can do transitions. And for my JIRA instance it is not true since for projects with default workflow issues can be viewed by anonymous but can not be reopened.

May be I missed some simple thing in massive JIRA configuration mechanism, please narrow me. Our Project managers complain about every action which is done by anonymous user.

I don't know what could cause this behavior. I'd open an issue with Atlassian.

We have a JIRA license, may be it is better to create "Support request"? Actually the problem project was heavily customized by one of our JIRA admins, so something could went wrong. May be our config files which are sent with the request can help here?

Yes, a support request would be better. However, they are going to go into a lot of detail with your config, so it's worth trying to explain the complexities up-front.

I'm having this issue in JIRA 6.2.3. The ability to manage transitions (specifically, permissions on resolving and closing issues) is restricted to the Developers role. In what way does that mean that anonymous users should be able to change the workflow state? And if that restriction isn't enough to keep anonymous users from changing the workflow state, why would changing it to another restriction be enough? Also, we've had an anonymous user re-opening issues. As best I can tell, there's not even a setting in the permissions scheme for that, so how do we prevent it? This is pretty troubling to us, because we're trying to open up our main JIRA project to the public, but I open it up for a couple days and we have literally HUNDREDS of changes from an anonymous user in our project. These were mostly likely done by something automated that specifically looks for this vulnerability, although why I have no idea.

The ability to use a transition is controlled by the "conditions" on them. Not the permissions. I find it better to think of permissions as "a set of flags to be used in other places, such as conditions (so I can say "only people with close permission can use the close transitions" ) ". If you have anonymous users able to transition issues, then your workflow needs conditions adding to them.

First, that is completely opaque and non-obvious. It may be "better to think of permissions" that way, but I assure you that in most cases people don't. Second, the idea that, regardless of how I might think of permissions, giving someone permission to browse issues in ANY WAY implies that they can change anything about those issues is... well, it's stupid. And third and finally, wow, what a tremendous pain in the ass to manage. I can't just set permissions on my project and expect anonymous bots to not be able to come modify my issues. Instead, I have to set permissions on my project and THEN go set conditions on every single state that might apply to an issue in my project. We'll be upgrading soon, so I realize that this goes away at least to some extent by having the permission to control transitions, but I'm kind of stunned that this sort of thing went on in JIRA for so long without having a fix for it.

It doesn't allow anyone or bots the ability to change anything. The 'hole' was they could execute transitions that weren't protected. They can't edit issues, add comments, add/delete attachments, etc. And unless you allow 'anyone' browse permission bots can't even see the projects because they don't have userids.