Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
atlassianVshanmugamATLASSIAN:JSWSERVER-20621
HistoryJul 03, 2020 - 10:15 a.m.

Anonymous user able to access some agile board's report configuration

2020-07-0310:15:58
vshanmugam
jira.atlassian.com
9
JSON

h3. Issue Summary

When someone who did not login to Jira tried to access direct URL to Average Age Report, the user will be shown Configure - Average Age Report page instead of Jira asking the user to login.

h3. Steps to Reproduce

Copy the full URL to an Average Age Report (Eg: http://jira.megatron.com/vicky/secure/RapidBoard.jspa?projectKey=SSP&rapidView=1&view=reporting&chart=versionReport)

Open browser in incognito mode and ensure that user did not login to Jira.

Paste the full URL to an Average Age Report URL (Eg: http://jira.megatron.com/vicky/secure/RapidBoard.jspa?projectKey=SSP&rapidView=1&view=reporting&chart=versionReport) in the browser.

(i) This behaviour is reproducible with reports in β€œIssue analysis” category

h3. Expected Results

Jira shows the login gadget and request the user to login.

h3. Actual Results

Browser shows the following content:

!Screenshot 2020-07-03 at 6.13.57 PM.png|thumbnail!

h3. Workaround

None.

JSON