You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@manifoldcf.apache.org by "Markus Schuch (Jira)" <ji...@apache.org> on 2022/06/10 06:32:00 UTC

[jira] [Comment Edited] (CONNECTORS-1713) JIRA Repository Connector ignores issue security when ingesting from JIRA 8.20+

    [ https://issues.apache.org/jira/browse/CONNECTORS-1713?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17552583#comment-17552583 ] 

Markus Schuch edited comment on CONNECTORS-1713 at 6/10/22 6:31 AM:
--------------------------------------------------------------------

No information was provided by the atlassian developer community after roughly one week.

After reading the API docs again, i start to believe we probably use the API out of specification.

The docmentation says _*no users returned if left blank*_ about the {{username}} query parameter:
 !api-docs.png! 

https://docs.atlassian.com/software/jira/docs/api/REST/8.22.3/#user-findUsersWithBrowsePermission

I think it may be the case, that atlassian did not intend to provide an API to retrieve any user with browse permission for an issue. The username filter seems to be mandatory in the spec. But it is not even clear, how the filter works.


was (Author: schuchm):
No information was provided by the atlassian developer community after roughly one week.

After reading the API docs again, i start to believe we probably use the API out of specification.

The docmentation says _*no users returned if left blank*_ about the {{username}} query parameter:
 !api-docs.png! 

I think it may be the case, that atlassian did not intend to provide an API to retrieve any user with browse permission for an issue. The username filter seems to be mandatory in the spec. But it is not even clear, how the filter works.

> JIRA Repository Connector ignores issue security when ingesting from JIRA 8.20+
> -------------------------------------------------------------------------------
>
>                 Key: CONNECTORS-1713
>                 URL: https://issues.apache.org/jira/browse/CONNECTORS-1713
>             Project: ManifoldCF
>          Issue Type: Bug
>          Components: JIRA connector
>    Affects Versions: ManifoldCF 2.22
>            Reporter: Markus Schuch
>            Priority: Major
>         Attachments: api-docs.png
>
>
> There was obviously a change in the behaviour of the JIRA Server REST API:
> The {{GET /rest/user/viewissue/search}} has a parameter {{username}}.
> In JIRA 8.13.x the value must be to double quotes ({{username=""}}) to fetch all users that have browse permission for the issue.
> In JIRA 8.20.x the value must be empty ({{username=}}).
> I found no information about this change in the JIRA Release Notes.
> I raised a question in the Atlassian Dev Community:
> https://community.developer.atlassian.com/t/rest-api-change-in-behaviour-of-find-users-with-browse-permission-get-rest-user-viewissue-search/58819



--
This message was sent by Atlassian Jira
(v8.20.7#820007)