Sensitive information displayed in anonymous REST API calls

Type atlassian
Reporter jpalharini
Modified 2017-02-20T03:00:40


h4. Expected behavior Block sensitive information from being displayed on anonymous REST API calls in JIRA.

h4. Actual behavior Users' full-name are displayed when running the calls below: {noformat} /user/picker?query=<username> /groupuserpicker?query=ali&showAvatar {noformat} Default fields and custom fields are displayed when running the call below: {noformat} /jql/autocompletedata {noformat}

h4. Workaround There's no current method for working around this within JIRA itself. The only solution would be to setup IP filtering on affected calls.