Jira script runner - is being used to create jira user groups. Would want to restrict that.

Divya TV
Contributor
February 25, 2022

We have Jira 8.13.12 and Adaptivist script runner 6.36.0.

A user  has written a groovy scripts which creates Jira user groups and then edits it whenever necessary.

Problem: Creating a jira user group is a jira-administrator action. We do not want this user who is not part of 'jira-administrator' user group doing this.

How do I restrict this?

Also, he has an issue open since several years and he using this to run the script. Whenever there is a comment added to the issue, the scripts are triggers and they do a bunch of jira admin things mentioned in the xmls files. We want to restrict these scripts from performing any jira-admin tasks. 

1 answer

1 vote
Nic Brough -Adaptavist-
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
February 25, 2022

You can't do this - the person you want to block must be an administrator, so anything you do to control it can be undone by them.  

There are two ways to run scripts - either by a trigger that runs it (post function, listener, email handler, using a scripted field, etc) or by running it in the console function in Scriptrunner.

Only admins can use the console function, and only administrators can configure the scripts that are run by triggers.

You've said the scripts are triggered by commenting on an issue.  So there's a swathe of ways you could stop this usage.  You could

  • Remove those triggers. 
  • Remove the permission for this person to comment on the issues in this project. 
  • Delete the issue.  
  • Remove/change the parts of the scripts that are doing unwanted things.

But, for this person to be writing scripts and adding them into Jira, they must have administrator access, so they can undo all of those things (not the delete, but they can easily set up a new issue for it)

So, take away their admin access before removing the triggers or changing the scripts.

Divya TV
Contributor
February 28, 2022

Thank you Nic.

I went through everyone in the jira-admin and jira-nonsystem admin user group and this person isn't there as an admin.  How can I check which user is this script using to make this call?

Is there a specific groovy function that is used by script runner to authenticate?

ComponentAccessor.getCommentManager().create(issue, ComponentAccessor.getJiraAuthenticationContext().getLoggedInUser(), updateResult.toString(), false)

 

I assumed that : Script runner allows any regular user to access Jira-administrator functions though scripts. Which worried me, hope its not true.

Divya TV
Contributor
February 28, 2022

The component accessor in turn provides https://docs.atlassian.com/software/jira/docs/api/7.6.1/com/atlassian/jira/component/ComponentAccessor.html#getGroupManager

Which can add users to jira user groups. Do you think they can add users to jira-administrator user group? 

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events