Email notifications for jiraissues macro reflect page owner permissions rather than permissions of notified user...
2009-02-04T15:15:41
ID ATLASSIAN:CONF-14388 Type atlassian Reporter aatkins Modified 2017-02-17T05:16:00
Description
When a notification is sent out for a page that includes the {jiraissues} macro, the list of issues is based on the page owner's permissions rather than the notified user's permissions.
Here are the steps to reproduce:
Set up the trust relationship between your JIRA and Confluence installs
Create users "user1" and "user2" on both Confluence and JIRA
In Confluence, create a TEST space that is visible to both user1 and user2.
Log in as user2 and watch the TEST space. While you're logged in as user2, check your email preferences and make sure your email address is valid.
Create a JIRA project (PRIVATE, for example)
Create 1-2 issues in the new project
Create a "private" group in JIRA
Add user1 to the "private" group
Create a permission scheme for the new project in which the "private" group is allowed to do everything and no other users are allowed to do anything.
Assign the permission scheme to the new project
Search for open issues in the new project
Copy the XML URL from the search
Log out of JIRA and log in as user2. When browsing or searching, user2 should not be able to see any issues in the private project (or even know that it exists).
Log in to Confluence as user1. Create a page using the jiraissues macro and the URL copied above
Log in to Confluence as user2. View the page containing the jiraissues macro, which correctly indicates that there are no issues (none are visible to the user).
Check the mail address specified for user2. The notification will display issues that are not visible to user2 in either JIRA or Confluence.
This bug is very specific to the mail notifications. All other views appear to respect user permissions.
{"title": "Email notifications for jiraissues macro reflect page owner permissions rather than permissions of notified user...", "published": "2009-02-04T15:15:41", "references": [], "type": "atlassian", "enchantments": {"score": {"value": 7.2, "vector": "NONE"}, "dependencies": {"references": [], "modified": "2017-03-22T18:16:53"}, "vulnersScore": 7.2}, "cvelist": [], "viewCount": 0, "affectedSoftware": [{"version": "3.1", "name": "Confluence", "operator": "le"}, {"version": "4.2", "name": "Confluence", "operator": "lt"}, {"version": "3.3", "name": "Confluence", "operator": "le"}, {"version": "3.2", "name": "Confluence", "operator": "le"}, {"version": "2.10", "name": "Confluence", "operator": "le"}, {"version": "2.10.1", "name": "Confluence", "operator": "le"}, {"version": "3.0", "name": "Confluence", "operator": "le"}], "hash": "632f8d57030b9994e9b656cc30344b92b322300bb982f96bcb3fb5f9bab72c17", "id": "ATLASSIAN:CONF-14388", "modified": "2017-02-17T05:16:00", "history": [], "href": "https://jira.atlassian.com/browse/CONF-14388", "hashmap": [{"hash": "76813ccf5f14673a7e141a7d49a6fb27", "key": "affectedSoftware"}, {"hash": "f9fa10ba956cacf91d7878861139efb9", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "f7b59c4b2a8bc02472334bca01e580ca", "key": "description"}, {"hash": "0157223de558bd12a33739227d2ac2a2", "key": "href"}, {"hash": "550a68a1271ccb452111c6e400b54f36", "key": "modified"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "462491a22e2136f28ff4fb134f70694c", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "41f0d61982411cce30b73bbcbddc4a6e", "key": "reporter"}, {"hash": "63c7c46a3b2fb6400fcba07101d0d1fe", "key": "title"}, {"hash": "deff6b318be72040c25ff1208b1a96a2", "key": "type"}], "objectVersion": "1.2", "edition": 1, "description": "When a notification is sent out for a page that includes the \\{jiraissues\\} macro, the list of issues is based on the page owner's permissions rather than the notified user's permissions. \r\n\r\nHere are the steps to reproduce:\r\n# Set up the trust relationship between your JIRA and Confluence installs\r\n# Create users \"user1\" and \"user2\" on both Confluence and JIRA\r\n# In Confluence, create a TEST space that is visible to both user1 and user2.\r\n# Log in as user2 and watch the TEST space. While you're logged in as user2, check your email preferences and make sure your email address is valid.\r\n# Create a JIRA project (PRIVATE, for example)\r\n# Create 1-2 issues in the new project\r\n# Create a \"private\" group in JIRA \r\n# Add user1 to the \"private\" group\r\n# Create a permission scheme for the new project in which the \"private\" group is allowed to do everything and no other users are allowed to do anything.\r\n# Assign the permission scheme to the new project\r\n# Search for open issues in the new project\r\n# Copy the XML URL from the search\r\n# Log out of JIRA and log in as user2. When browsing or searching, user2 should not be able to see any issues in the private project (or even know that it exists).\r\n# Log in to Confluence as user1. Create a page using the jiraissues macro and the URL copied above\r\n# Log in to Confluence as user2. View the page containing the jiraissues macro, which correctly indicates that there are no issues (none are visible to the user).\r\n# Check the mail address specified for user2. The notification will display issues that are not visible to user2 in either JIRA or Confluence.\r\n\r\nThis bug is very specific to the mail notifications. All other views appear to respect user permissions.", "bulletinFamily": "software", "reporter": "aatkins", "cvss": {"vector": "NONE", "score": 0.0}, "lastseen": "2017-03-22T18:16:53"}