I've got a JIRA instance which recently had its permissions radically simplified in order to increase performance (seconds were being taken for basic actions).
However, at some point during this, unauthenticated users now have the permission to see the activity stream and to comment on issues. My reasoning was, that a user that had no ability log in or look at an issue would have no ability to comment on it either, but apparently this isn't 100% right.
Ideally, a user that is not logged in would see nothing on the system dashboard other than the login box (or even better, they'd be redirected straight to login.jsp)
What is the exact permission bit that controls these things? I've got "browse projects" restricted to an LDAP group, yet the dashboard is still populated when logged out.
The ability to comment is controlled by the permission schemes. If anonymous users can comment, then someone has added "anyone" as a group to the comment permission. While the use of "anonymous" can speed up a JIRA, it should never be used for anything other than "browse", or you can get people making unlogged anonymous changes.
As for the dashboard, it will be visible if the gadgets contain filters and the issues they return are visible to the anonymous group as well.
That's what isn't making any sense for me, though. "Jira Users" is limited to an LDAP group, "Browse projects" is limited to an LDAP group, yet the dashboard (specifically the activity stream) is still showing data. I'd like all issues/projects to not be viewable unless the user is authenticated.
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG