Email notifications for jiraissues macro reflect page owner permissions rather than permissions of notified user...

Type atlassian
Reporter aatkins
Modified 2017-02-17T05:16:00


When a notification is sent out for a page that includes the {jiraissues} macro, the list of issues is based on the page owner's permissions rather than the notified user's permissions.

Here are the steps to reproduce:

Set up the trust relationship between your JIRA and Confluence installs

Create users "user1" and "user2" on both Confluence and JIRA

In Confluence, create a TEST space that is visible to both user1 and user2.

Log in as user2 and watch the TEST space. While you're logged in as user2, check your email preferences and make sure your email address is valid.

Create a JIRA project (PRIVATE, for example)

Create 1-2 issues in the new project

Create a "private" group in JIRA

Add user1 to the "private" group

Create a permission scheme for the new project in which the "private" group is allowed to do everything and no other users are allowed to do anything.

Assign the permission scheme to the new project

Search for open issues in the new project

Copy the XML URL from the search

Log out of JIRA and log in as user2. When browsing or searching, user2 should not be able to see any issues in the private project (or even know that it exists).

Log in to Confluence as user1. Create a page using the jiraissues macro and the URL copied above

Log in to Confluence as user2. View the page containing the jiraissues macro, which correctly indicates that there are no issues (none are visible to the user).

Check the mail address specified for user2. The notification will display issues that are not visible to user2 in either JIRA or Confluence.

This bug is very specific to the mail notifications. All other views appear to respect user permissions.