[jira] [Comment Edited] (CONNECTORS-1713) JIRA Repository Connector ignores issue security when ingesting from JIRA 8.20+
[
https://issues.apache.org/jira/browse/CONNECTORS-1713?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17553244#comment-17553244
]
Markus Schuch edited comment on CONNECTORS-1713 at 6/12/22 9:29 AM:
[~kwri...@metacarta.com] i tested on 2 different Versions:
||JIRA Server Version||Behavior of the {{/rest/user/viewissue/search}}
endpoint||
|8.13.x|{{username=""}} must be provided to fetch all users with browse
permission, otherwise an empty list is returned.|
|8.12.x|{{username=}} (empty string, no quotes) must be provided to fetch all
users with browse permission, otherwise an empty list is returned.|
I'm not 100% sure, which version exactly changed the behavior. (might be
somewhere between 8.14 and 8.20)
I need to do more test against different versions to find the exact version. It
should be doable with the Atlassian SDK which allows to bootstrap Jira server
instances easily for development and testing.
So yes, we would break the connector for the older versions: The effect is,
that security no longer works. All issues are ingested without access tokens
and are therefore visible to all search users.
A version query for dynamic adoption should work. Is there another connector
that does something like that?
was (Author: schuchm):
[~kwri...@metacarta.com] i tested on 2 different Versions:
||JIRA Server Version||Behavior of the {{/rest/user/viewissue/search}}
endpoint||
|8.13.x|{{username=""}} must be provided to fetch all users with browse
permission, otherwise an empty list is returned.|
|8.12.x|{{username=}} (empty string, no quotes) must be provided to fetch all
users with browse permission, otherwise an empty list is returned.|
I'm not 100% sure, which version exactly changed the behavior. (might be
somewhere between 8.14 and 8.20)
I need to do more test against different versions to find the exact versions.
It should be doable with the Atlassian SDK which allows to bootstrap Jira
server instances easily for development and testing.
So yes, we would break the connector for the older versions: The effect is,
that security no longer works. All issues are ingested without access tokens
and are therefore visible to all search users.
A version query for dynamic adoption should work. Is there another connector
that does something like that?
> JIRA Repository Connector ignores issue security when ingesting from JIRA
> 8.20+
> ---
>
> Key: CONNECTORS-1713
> URL: https://issues.apache.org/jira/browse/CONNECTORS-1713
> Project: ManifoldCF
> Issue Type: Bug
> Components: JIRA connector
>Affects Versions: ManifoldCF 2.22
>Reporter: Markus Schuch
>Priority: Major
> Attachments: api-docs.png
>
>
> There was obviously a change in the behaviour of the JIRA Server REST API:
> The {{GET /rest/user/viewissue/search}} has a parameter {{username}}.
> In JIRA 8.13.x the value must be to double quotes ({{username=""}}) to fetch
> all users that have browse permission for the issue.
> In JIRA 8.20.x the value must be empty ({{username=}}).
> I found no information about this change in the JIRA Release Notes.
> I raised a question in the Atlassian Dev Community:
> https://community.developer.atlassian.com/t/rest-api-change-in-behaviour-of-find-users-with-browse-permission-get-rest-user-viewissue-search/58819
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
[jira] [Comment Edited] (CONNECTORS-1713) JIRA Repository Connector ignores issue security when ingesting from JIRA 8.20+
[
https://issues.apache.org/jira/browse/CONNECTORS-1713?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17552585#comment-17552585
]
Markus Schuch edited comment on CONNECTORS-1713 at 6/10/22 6:40 AM:
With CONNECTORS-1493 we have already experienced the situation the other way
round. Here we had to put the quotes in the query to make it still work.
[~kwri...@metacarta.com] are you okay with me adjusting the query to adapt to
JIRA Server Versions (8.20+) and thus no longer support older versions?
was (Author: schuchm):
With CONNECTORS-1493 we have already experienced the situation the other way
round. Here we had to put the quotes in the query to make it still work.
[~kwri...@metacarta.com] are you okay with me adjusting the query to adapt to
JIRA Server Versions? (8.20+)
> JIRA Repository Connector ignores issue security when ingesting from JIRA
> 8.20+
> ---
>
> Key: CONNECTORS-1713
> URL: https://issues.apache.org/jira/browse/CONNECTORS-1713
> Project: ManifoldCF
> Issue Type: Bug
> Components: JIRA connector
>Affects Versions: ManifoldCF 2.22
>Reporter: Markus Schuch
>Priority: Major
> Attachments: api-docs.png
>
>
> There was obviously a change in the behaviour of the JIRA Server REST API:
> The {{GET /rest/user/viewissue/search}} has a parameter {{username}}.
> In JIRA 8.13.x the value must be to double quotes ({{username=""}}) to fetch
> all users that have browse permission for the issue.
> In JIRA 8.20.x the value must be empty ({{username=}}).
> I found no information about this change in the JIRA Release Notes.
> I raised a question in the Atlassian Dev Community:
> https://community.developer.atlassian.com/t/rest-api-change-in-behaviour-of-find-users-with-browse-permission-get-rest-user-viewissue-search/58819
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
[jira] [Comment Edited] (CONNECTORS-1713) JIRA Repository Connector ignores issue security when ingesting from JIRA 8.20+
[
https://issues.apache.org/jira/browse/CONNECTORS-1713?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17552583#comment-17552583
]
Markus Schuch edited comment on CONNECTORS-1713 at 6/10/22 6:32 AM:
No information was provided by the atlassian developer community after roughly
one week.
After reading the API docs again, i start to believe we probably use the API
out of specification.
The docmentation says _*no users returned if left blank*_ about the
{{username}} query parameter:
!api-docs.png!
https://docs.atlassian.com/software/jira/docs/api/REST/8.22.3/#user-findUsersWithBrowsePermission
I think it may be the case, that atlassian did not intend to provide an API to
retrieve any user with browse permission for an issue. The username filter
seems to be mandatory in the spec. But it is not even clear, how the filter is
suposed to work. Is it exact matching of usernames only? I don't know...
was (Author: schuchm):
No information was provided by the atlassian developer community after roughly
one week.
After reading the API docs again, i start to believe we probably use the API
out of specification.
The docmentation says _*no users returned if left blank*_ about the
{{username}} query parameter:
!api-docs.png!
https://docs.atlassian.com/software/jira/docs/api/REST/8.22.3/#user-findUsersWithBrowsePermission
I think it may be the case, that atlassian did not intend to provide an API to
retrieve any user with browse permission for an issue. The username filter
seems to be mandatory in the spec. But it is not even clear, how the filter
works.
> JIRA Repository Connector ignores issue security when ingesting from JIRA
> 8.20+
> ---
>
> Key: CONNECTORS-1713
> URL: https://issues.apache.org/jira/browse/CONNECTORS-1713
> Project: ManifoldCF
> Issue Type: Bug
> Components: JIRA connector
>Affects Versions: ManifoldCF 2.22
>Reporter: Markus Schuch
>Priority: Major
> Attachments: api-docs.png
>
>
> There was obviously a change in the behaviour of the JIRA Server REST API:
> The {{GET /rest/user/viewissue/search}} has a parameter {{username}}.
> In JIRA 8.13.x the value must be to double quotes ({{username=""}}) to fetch
> all users that have browse permission for the issue.
> In JIRA 8.20.x the value must be empty ({{username=}}).
> I found no information about this change in the JIRA Release Notes.
> I raised a question in the Atlassian Dev Community:
> https://community.developer.atlassian.com/t/rest-api-change-in-behaviour-of-find-users-with-browse-permission-get-rest-user-viewissue-search/58819
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
[jira] [Comment Edited] (CONNECTORS-1713) JIRA Repository Connector ignores issue security when ingesting from JIRA 8.20+
[
https://issues.apache.org/jira/browse/CONNECTORS-1713?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17552583#comment-17552583
]
Markus Schuch edited comment on CONNECTORS-1713 at 6/10/22 6:31 AM:
No information was provided by the atlassian developer community after roughly
one week.
After reading the API docs again, i start to believe we probably use the API
out of specification.
The docmentation says _*no users returned if left blank*_ about the
{{username}} query parameter:
!api-docs.png!
https://docs.atlassian.com/software/jira/docs/api/REST/8.22.3/#user-findUsersWithBrowsePermission
I think it may be the case, that atlassian did not intend to provide an API to
retrieve any user with browse permission for an issue. The username filter
seems to be mandatory in the spec. But it is not even clear, how the filter
works.
was (Author: schuchm):
No information was provided by the atlassian developer community after roughly
one week.
After reading the API docs again, i start to believe we probably use the API
out of specification.
The docmentation says _*no users returned if left blank*_ about the
{{username}} query parameter:
!api-docs.png!
I think it may be the case, that atlassian did not intend to provide an API to
retrieve any user with browse permission for an issue. The username filter
seems to be mandatory in the spec. But it is not even clear, how the filter
works.
> JIRA Repository Connector ignores issue security when ingesting from JIRA
> 8.20+
> ---
>
> Key: CONNECTORS-1713
> URL: https://issues.apache.org/jira/browse/CONNECTORS-1713
> Project: ManifoldCF
> Issue Type: Bug
> Components: JIRA connector
>Affects Versions: ManifoldCF 2.22
>Reporter: Markus Schuch
>Priority: Major
> Attachments: api-docs.png
>
>
> There was obviously a change in the behaviour of the JIRA Server REST API:
> The {{GET /rest/user/viewissue/search}} has a parameter {{username}}.
> In JIRA 8.13.x the value must be to double quotes ({{username=""}}) to fetch
> all users that have browse permission for the issue.
> In JIRA 8.20.x the value must be empty ({{username=}}).
> I found no information about this change in the JIRA Release Notes.
> I raised a question in the Atlassian Dev Community:
> https://community.developer.atlassian.com/t/rest-api-change-in-behaviour-of-find-users-with-browse-permission-get-rest-user-viewissue-search/58819
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
