Get product advice from experts

Ask a question →

Join a community group

Find a group →

Advance your career with learning paths

Take a free class →

Earn badges and rewards

Connect and share ideas at events

See the calendar →

Community
Products
Apps & Integrations
Questions
Managed filters are visible when you are logged out!!! BUG

Managed filters are visible when you are logged out!!! BUG

Hi All,

are you awaking with this bug?

When you are not logged in, you can see the managed filters! Is it a bug???

However all the filters are empty.

Have a look:

BASEURL/secure/ManageFilters.jspa

3 answers

1 accepted

0 votes

Answer accepted

I don't think it's even a real "bug", because if you share a filter with "all users", that should probably include the "anonymous" users. I'm not sure how you'd know how to block that.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

2 cents: Shouldn't be "shared with anyone" instead of "shared with all users" ? I think this is a little confusing; that sharing should be really split in two, one to allow anonymous access and the other one to allow all logged in users (so: "Shared with all users" and "Shared with anyone").

There's a security problem here, some users may leak information to the outside world without knowing it. Just an opinion.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Like

I think the language could be improved - it feels like it was written by an experienced Jira admin, who is fully aware that enabling "anonymous" access implies that "anyone" is a "user".

But replacing "shared with all users" with "shared with anyone" is wrong. You don't *know* that anonymous can see stuff when you use that screen.

There is no security problem, as long as your admins are fully aware of how "anyone/anonymous" works and exposes lots of information (potentially)

But I do think all the wording is unhelpful.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Like

I agree. Filter names can have sensitive data. If it is shared with all users, it should be visible only to logged in users. If shared with anyone, it should be visible to anonymous users.

But at the moment, JIRA has only one option to share with "Everyone". Fix should start there.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Like

Hi,

yes I don't think it would be a great bug but for many projects (companies) the filter name could be very sensitive info.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Like

Reply

0 votes

IMHO it's a bug, and you should report it.

You can see the names of the "popular filters" which are shared, indeed, but since you cannot browse for other filters, it is a low severity bug.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Reply

0 votes

I think it only shows filters that are shared with all users. The content will be based on the permissions of the projects involved in the filter.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Reply

Suggest an answer

Log in or Sign up to answer

Was this helpful?

Thanks!

Apps & Integrations

TAGS