Project visibility and its components - security issue

After migrating to new jira 6.2.3 every user can see couple of projects on the all project list and its components names with no permission to this project. Anyone know problem like this solution ?

1 answer

0 votes

You've allowed "anyone" to see the projects.

Users with no permission to this project can see it on the list. They dont see the issues, only project and components names

Oops, sorry. Also a possibility - you've used a user or group picker in the project browse permission. That has to expose the project to people who might be named there, even if there are not yet any issues that match the criteria.

In project permissions there is only couple of users who need acces to this project and they see all issues, can create issues, but every one (around 2k users) can see the project on the list with no permission. There is no group added to project permission, only users

That still strongly suggest you've allowed "anyone" to browse the projects. Then used issue security and/or reporter-browse to hide existing issues from them.

Right. First, go to the project and check exactly which permission scheme it is using. Then, go into that scheme and list here *everything* that has "browse project" rights.

Don't try to interpret or explain anything, just give us the plain text of the box on the right (feel free to obscure any names with personal id info with xxxx's)

This is browse project rights of this project:

  • Zgłaszający - Reporter
  • Aktualnie Przypisany - Current assignee
  • Rola w Projekcie (xxxxxxx) - Project Role
  • Rola w Projekcie (Administrators) - Project Role
  • Wartość Niestandardowego Pola Użytkownika (xxxxx) - Custom filed value
  • Wartość Niestandardowego Pola Użytkownika (xxxxx) - Custom filed value

It's the first line.

If you allow the reporter to see the project, Jira has to open up the project to everyone who *might* report an issue.

Sorry it's taken a while to get there, you said the users had "no permissions", but there's actually loads there (other than the role ones which tend to be standard)

We have done test with newly created user with only jira-users group and after login to jira we can see only this project on the list of all projects.

You are right but permission for "Create Issue" in this project looks like:

  • Rola w Projekcie (Administrators) - Project Role
  • Rola w Projekcie (xxxx) - Project Role
  • Rola w Projekcie (xxxx) - Project Role
  • Rola w Projekcie (xxxx) - Project Role
  • Rola w Projekcie (xxxx) - Project Role

Yes, because they might be a reporter.

After i deleted Reporter permission to browse project i still can see project

Could you remove (temporarily, of course) assignee and the two custom fields as well?

I have to removed all permissions except project roles, and now work fine only users with permission can see project. I think it is bug because users with permission create issues should see project not every user in jira.

Than you for your help

Suggest an answer

Log in or Sign up to answer
Community showcase
Published Nov 27, 2018 in Portfolio for Jira

Introducing a new planning experience in Portfolio for Jira (Server/DC)

In the past, Portfolio for Jira required a high degree of detail–foresight that was unrealistic for many businesses to   have–in   order to produce a reliable long-term roadmap. We're tur...

2,299 views 12 19
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you