[jira] [Commented] (CONNECTORS-1713) JIRA Repository Connector ignores issue security when ingesting from JIRA 8.20+
[ https://issues.apache.org/jira/browse/CONNECTORS-1713?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17553253#comment-17553253 ] Karl Wright commented on CONNECTORS-1713: - [~schuch], the SharePoint connector requires configuration information that specifies the version you're trying to talk to. But that's because there isn't a version interrogation present in the API for SharePoint. If there is such a capability for Jira I'd see how difficult it would be to use it. The version information should ideally be retrieved during the connect() method, and thus stored as an instance variable for the connector. Make sure you clean it out again when disconnect() is called though to prevent a pooled instance from malfunctioning. > JIRA Repository Connector ignores issue security when ingesting from JIRA > 8.20+ > --- > > Key: CONNECTORS-1713 > URL: https://issues.apache.org/jira/browse/CONNECTORS-1713 > Project: ManifoldCF > Issue Type: Bug > Components: JIRA connector >Affects Versions: ManifoldCF 2.22 >Reporter: Markus Schuch >Priority: Major > Attachments: api-docs.png > > > There was obviously a change in the behaviour of the JIRA Server REST API: > The {{GET /rest/user/viewissue/search}} has a parameter {{username}}. > In JIRA 8.13.x the value must be to double quotes ({{username=""}}) to fetch > all users that have browse permission for the issue. > In JIRA 8.20.x the value must be empty ({{username=}}). > I found no information about this change in the JIRA Release Notes. > I raised a question in the Atlassian Dev Community: > https://community.developer.atlassian.com/t/rest-api-change-in-behaviour-of-find-users-with-browse-permission-get-rest-user-viewissue-search/58819 -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (CONNECTORS-1713) JIRA Repository Connector ignores issue security when ingesting from JIRA 8.20+
[ https://issues.apache.org/jira/browse/CONNECTORS-1713?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17553244#comment-17553244 ] Markus Schuch commented on CONNECTORS-1713: --- [~kwri...@metacarta.com] i tested on 2 different Versions: ||JIRA Server Version||Behavior of the {{/rest/user/viewissue/search}} endpoint|| |8.13.x|{{username=""}} must be provided to fetch all users with browse permission, otherwise an empty list is returned.| |8.12.x|{{username=}} (empty string, no quotes) must be provided to fetch all users with browse permission, otherwise an empty list is returned.| I'm not 100% sure, which version exactly changed the behavior. (might be somewhere between 8.14 and 8.20) I need to do more test against different versions to find the exact versions. It should be doable with the Atlassian SDK which allows to bootstrap Jira server instances easily for development and testing. So yes, we would break the connector for the older versions: The effect is, that security no longer works. All issues are ingested without access tokens and are therefore visible to all search users. A version query for dynamic adoption should work. Is there another connector that does something like that? > JIRA Repository Connector ignores issue security when ingesting from JIRA > 8.20+ > --- > > Key: CONNECTORS-1713 > URL: https://issues.apache.org/jira/browse/CONNECTORS-1713 > Project: ManifoldCF > Issue Type: Bug > Components: JIRA connector >Affects Versions: ManifoldCF 2.22 >Reporter: Markus Schuch >Priority: Major > Attachments: api-docs.png > > > There was obviously a change in the behaviour of the JIRA Server REST API: > The {{GET /rest/user/viewissue/search}} has a parameter {{username}}. > In JIRA 8.13.x the value must be to double quotes ({{username=""}}) to fetch > all users that have browse permission for the issue. > In JIRA 8.20.x the value must be empty ({{username=}}). > I found no information about this change in the JIRA Release Notes. > I raised a question in the Atlassian Dev Community: > https://community.developer.atlassian.com/t/rest-api-change-in-behaviour-of-find-users-with-browse-permission-get-rest-user-viewissue-search/58819 -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (CONNECTORS-1713) JIRA Repository Connector ignores issue security when ingesting from JIRA 8.20+
[ https://issues.apache.org/jira/browse/CONNECTORS-1713?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17552637#comment-17552637 ] Karl Wright commented on CONNECTORS-1713: - [~schuch], are you saying the versions prior to 8.20 would be unsupported? Or is it just that we don't know? If we don't know, I'd say go ahead and make the needed repairs. If we DO know that it would break, we could make the (new) behavior contingent on the results of a version query to JIRA, correct? > JIRA Repository Connector ignores issue security when ingesting from JIRA > 8.20+ > --- > > Key: CONNECTORS-1713 > URL: https://issues.apache.org/jira/browse/CONNECTORS-1713 > Project: ManifoldCF > Issue Type: Bug > Components: JIRA connector >Affects Versions: ManifoldCF 2.22 >Reporter: Markus Schuch >Priority: Major > Attachments: api-docs.png > > > There was obviously a change in the behaviour of the JIRA Server REST API: > The {{GET /rest/user/viewissue/search}} has a parameter {{username}}. > In JIRA 8.13.x the value must be to double quotes ({{username=""}}) to fetch > all users that have browse permission for the issue. > In JIRA 8.20.x the value must be empty ({{username=}}). > I found no information about this change in the JIRA Release Notes. > I raised a question in the Atlassian Dev Community: > https://community.developer.atlassian.com/t/rest-api-change-in-behaviour-of-find-users-with-browse-permission-get-rest-user-viewissue-search/58819 -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (CONNECTORS-1713) JIRA Repository Connector ignores issue security when ingesting from JIRA 8.20+
[ https://issues.apache.org/jira/browse/CONNECTORS-1713?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17552585#comment-17552585 ] Markus Schuch commented on CONNECTORS-1713: --- With CONNECTORS-1493 we have already experienced the situation the other way round. Here we had to put the quotes in the query to make it still work. [~kwri...@metacarta.com] are you okay with me adjusting the query to adapt to JIRA Server Versions? (8.20+) > JIRA Repository Connector ignores issue security when ingesting from JIRA > 8.20+ > --- > > Key: CONNECTORS-1713 > URL: https://issues.apache.org/jira/browse/CONNECTORS-1713 > Project: ManifoldCF > Issue Type: Bug > Components: JIRA connector >Affects Versions: ManifoldCF 2.22 >Reporter: Markus Schuch >Priority: Major > Attachments: api-docs.png > > > There was obviously a change in the behaviour of the JIRA Server REST API: > The {{GET /rest/user/viewissue/search}} has a parameter {{username}}. > In JIRA 8.13.x the value must be to double quotes ({{username=""}}) to fetch > all users that have browse permission for the issue. > In JIRA 8.20.x the value must be empty ({{username=}}). > I found no information about this change in the JIRA Release Notes. > I raised a question in the Atlassian Dev Community: > https://community.developer.atlassian.com/t/rest-api-change-in-behaviour-of-find-users-with-browse-permission-get-rest-user-viewissue-search/58819 -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (CONNECTORS-1713) JIRA Repository Connector ignores issue security when ingesting from JIRA 8.20+
[ https://issues.apache.org/jira/browse/CONNECTORS-1713?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17552583#comment-17552583 ] Markus Schuch commented on CONNECTORS-1713: --- No information was provided by the atlassian developer community after roughly one week. After reading the API docs again, i start to believe we probably use the API out of specification. The docmentation says _*no users returned if left blank*_ about the {{username}} query parameter: !api-docs.png! I think it may be the case, that atlassian did not intend to provide an API to retrieve any user with browse permission for an issue. The username filter seems to be mandatory in the spec. But it is not even clear, how the filter works. > JIRA Repository Connector ignores issue security when ingesting from JIRA > 8.20+ > --- > > Key: CONNECTORS-1713 > URL: https://issues.apache.org/jira/browse/CONNECTORS-1713 > Project: ManifoldCF > Issue Type: Bug > Components: JIRA connector >Affects Versions: ManifoldCF 2.22 >Reporter: Markus Schuch >Priority: Major > Attachments: api-docs.png > > > There was obviously a change in the behaviour of the JIRA Server REST API: > The {{GET /rest/user/viewissue/search}} has a parameter {{username}}. > In JIRA 8.13.x the value must be to double quotes ({{username=""}}) to fetch > all users that have browse permission for the issue. > In JIRA 8.20.x the value must be empty ({{username=}}). > I found no information about this change in the JIRA Release Notes. > I raised a question in the Atlassian Dev Community: > https://community.developer.atlassian.com/t/rest-api-change-in-behaviour-of-find-users-with-browse-permission-get-rest-user-viewissue-search/58819 -- This message was sent by Atlassian Jira (v8.20.7#820007)