REST API allows to get worklog from issue without access rights to that issue

2014-07-19T15:14:07
ID ATLASSIAN:JRASERVER-39192
Type atlassian
Reporter wirone
Modified 2017-02-20T02:57:03

Description

On JIRA OnDemand v6.3-OD-08-005-WN (also here!) it's possible to get worklog by it's ID even if this worklog does not belong to issue passed in API url.

Example: On our OnDemand instance I have access rights to {{<issue>}}. When I add worklog to this issue via REST API, I get its id ({{<worklog>}}). Now, when I call {{GET issue/<issue>/worklog/<worklog>}} (simplified) I get something like:

{code} {"self":".../rest/api/2/issue/15156/worklog/12928","author":{"self":"...","name":"...","emailAddress":"...","avatarUrls":{"16x16":"...","24x24":"...","32x32":"...","48x48":"..."},"displayName":"...","active":true},"updateAuthor":{"self":"...","name":"...","emailAddress":"...","avatarUrls":{"16x16":"...","24x24":"...","32x32":"...","48x48":"..."},"displayName":"...","active":true},"comment":"","created":"2014-07-15T14:34:49.813+0200","updated":"2014-07-15T14:34:49.813+0200","started":"2014-07-15T14:34:00.000+0200","timeSpent":"2h 30m","timeSpentSeconds":9000,"id":"12928"} {code}

At this moment {{<issue> = 15156}} and {{<worklog> = 12928}}.

Now I change worklog ID to random value, for example 12929 and call: {{GET issue/<issue>/worklog/12929}} and I get worklog from entirely different issue than my {{<issue>}}. In request response, in {{self}} I see ID of that other issue (in this case 15336), so I can call {{GET issue/15336/worklog/12929}} and ok, I still see valid response. But when I call {{GET issue/15336}} I see:

{code}{"errorMessages":["You do not have the permission to see the specified issue."],"errors":{}}{code}

So, two problems: [/rest/api/2/issue/<issueIdOrKey>/worklog/<id>|https://docs.atlassian.com/jira/REST/ondemand/#d2e4464] should not allow to get worklog if worklog {{<id>}} does not belong to issue {{<issueIdOrKey>}} [/rest/api/2/issue/<issueIdOrKey>/worklog/<id>|https://docs.atlassian.com/jira/REST/ondemand/#d2e4464] should not allow to get worklog if user does not have permission to issue {{<issueIdOrKey>}}