Get product advice from experts

Ask a question →

Join a community group

Find a group →

Advance your career with learning paths

Take a free class →

Earn badges and rewards

Connect and share ideas at events

See the calendar →

Community
Products
Jira Software
Questions
Project visibility and its components - security issue

Project visibility and its components - security issue

After migrating to new jira 6.2.3 every user can see couple of projects on the all project list and its components names with no permission to this project. Anyone know problem like this solution ?

1 answer

0 votes

You've allowed "anyone" to see the projects.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Users with no permission to this project can see it on the list. They dont see the issues, only project and components names

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Like

Oops, sorry. Also a possibility - you've used a user or group picker in the project browse permission. That has to expose the project to people who might be named there, even if there are not yet any issues that match the criteria.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Like

In project permissions there is only couple of users who need acces to this project and they see all issues, can create issues, but every one (around 2k users) can see the project on the list with no permission. There is no group added to project permission, only users

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Like

That still strongly suggest you've allowed "anyone" to browse the projects. Then used issue security and/or reporter-browse to hide existing issues from them.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Like

Right. First, go to the project and check exactly which permission scheme it is using. Then, go into that scheme and list here *everything* that has "browse project" rights.

Don't try to interpret or explain anything, just give us the plain text of the box on the right (feel free to obscure any names with personal id info with xxxx's)

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Like

This is browse project rights of this project:

Zgłaszający - Reporter
Aktualnie Przypisany - Current assignee
Rola w Projekcie (xxxxxxx) - Project Role
Rola w Projekcie (Administrators) - Project Role
Wartość Niestandardowego Pola Użytkownika (xxxxx) - Custom filed value
Wartość Niestandardowego Pola Użytkownika (xxxxx) - Custom filed value

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Like

It's the first line.

If you allow the reporter to see the project, Jira has to open up the project to everyone who *might* report an issue.

Sorry it's taken a while to get there, you said the users had "no permissions", but there's actually loads there (other than the role ones which tend to be standard)

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Like

We have done test with newly created user with only jira-users group and after login to jira we can see only this project on the list of all projects.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Like

You are right but permission for "Create Issue" in this project looks like:

Rola w Projekcie (Administrators) - Project Role
Rola w Projekcie (xxxx) - Project Role
Rola w Projekcie (xxxx) - Project Role
Rola w Projekcie (xxxx) - Project Role
Rola w Projekcie (xxxx) - Project Role

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Like

Yes, because they might be a reporter.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Like

After i deleted Reporter permission to browse project i still can see project

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Like

Could you remove (temporarily, of course) assignee and the two custom fields as well?

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Like

I have to removed all permissions except project roles, and now work fine only users with permission can see project. I think it is bug because users with permission create issues should see project not every user in jira.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Like

Than you for your help

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Like

Reply

Suggest an answer

Log in or Sign up to answer

Was this helpful?

Thanks!

TAGS

Community showcase