[jira] [Commented] (CONNECTORS-1713) JIRA Repository Connector ignores issue security when ingesting from JIRA 8.20+

Sun, 12 Jun 2022 02:29:24 -0700 


    [ 
https://issues.apache.org/jira/browse/CONNECTORS-1713?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17553244#comment-17553244
 ] 

Markus Schuch commented on CONNECTORS-1713:
-------------------------------------------

[~kwri...@metacarta.com] i tested on 2 different Versions:
||JIRA Server Version||Behavior of the {{/rest/user/viewissue/search}} 
endpoint||
|8.13.x|{{username=""}} must be provided to fetch all users with browse 
permission, otherwise an empty list is returned.|
|8.12.x|{{username=}} (empty string, no quotes) must be provided to fetch all 
users with browse permission, otherwise an empty list is returned.|

I'm not 100% sure, which version exactly changed the behavior. (might be 
somewhere between 8.14 and 8.20)
I need to do more test against different versions to find the exact versions. 
It should be doable with the Atlassian SDK which allows to bootstrap Jira 
server instances easily for development and testing.

So yes, we would break the connector for the older versions: The effect is, 
that security no longer works. All issues are ingested without access tokens 
and are therefore visible to all search users.

A version query for dynamic adoption should work. Is there another connector 
that does something like that?

> JIRA Repository Connector ignores issue security when ingesting from JIRA 
> 8.20+
> -------------------------------------------------------------------------------
>
>                 Key: CONNECTORS-1713
>                 URL: https://issues.apache.org/jira/browse/CONNECTORS-1713
>             Project: ManifoldCF
>          Issue Type: Bug
>          Components: JIRA connector
>    Affects Versions: ManifoldCF 2.22
>            Reporter: Markus Schuch
>            Priority: Major
>         Attachments: api-docs.png
>
>
> There was obviously a change in the behaviour of the JIRA Server REST API:
> The {{GET /rest/user/viewissue/search}} has a parameter {{username}}.
> In JIRA 8.13.x the value must be to double quotes ({{username=""}}) to fetch 
> all users that have browse permission for the issue.
> In JIRA 8.20.x the value must be empty ({{username=}}).
> I found no information about this change in the JIRA Release Notes.
> I raised a question in the Atlassian Dev Community:
> https://community.developer.atlassian.com/t/rest-api-change-in-behaviour-of-find-users-with-browse-permission-get-rest-user-viewissue-search/58819



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

Reply via email to