[jira] [Commented] (CONNECTORS-1713) JIRA Repository Connector ignores issue security when ingesting from JIRA 8.20+
[
https://issues.apache.org/jira/browse/CONNECTORS-1713?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17553253#comment-17553253
]
Karl Wright commented on CONNECTORS-1713:
-
[~schuch], the SharePoint connector requires configuration information that
specifies the version you're trying to talk to. But that's because there isn't
a version interrogation present in the API for SharePoint. If there is such a
capability for Jira I'd see how difficult it would be to use it. The version
information should ideally be retrieved during the connect() method, and thus
stored as an instance variable for the connector. Make sure you clean it out
again when disconnect() is called though to prevent a pooled instance from
malfunctioning.
> JIRA Repository Connector ignores issue security when ingesting from JIRA
> 8.20+
> ---
>
> Key: CONNECTORS-1713
> URL: https://issues.apache.org/jira/browse/CONNECTORS-1713
> Project: ManifoldCF
> Issue Type: Bug
> Components: JIRA connector
>Affects Versions: ManifoldCF 2.22
>Reporter: Markus Schuch
>Priority: Major
> Attachments: api-docs.png
>
>
> There was obviously a change in the behaviour of the JIRA Server REST API:
> The {{GET /rest/user/viewissue/search}} has a parameter {{username}}.
> In JIRA 8.13.x the value must be to double quotes ({{username=""}}) to fetch
> all users that have browse permission for the issue.
> In JIRA 8.20.x the value must be empty ({{username=}}).
> I found no information about this change in the JIRA Release Notes.
> I raised a question in the Atlassian Dev Community:
> https://community.developer.atlassian.com/t/rest-api-change-in-behaviour-of-find-users-with-browse-permission-get-rest-user-viewissue-search/58819
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
[jira] [Commented] (CONNECTORS-1713) JIRA Repository Connector ignores issue security when ingesting from JIRA 8.20+
[
https://issues.apache.org/jira/browse/CONNECTORS-1713?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17553244#comment-17553244
]
Markus Schuch commented on CONNECTORS-1713:
---
[~kwri...@metacarta.com] i tested on 2 different Versions:
||JIRA Server Version||Behavior of the {{/rest/user/viewissue/search}}
endpoint||
|8.13.x|{{username=""}} must be provided to fetch all users with browse
permission, otherwise an empty list is returned.|
|8.12.x|{{username=}} (empty string, no quotes) must be provided to fetch all
users with browse permission, otherwise an empty list is returned.|
I'm not 100% sure, which version exactly changed the behavior. (might be
somewhere between 8.14 and 8.20)
I need to do more test against different versions to find the exact versions.
It should be doable with the Atlassian SDK which allows to bootstrap Jira
server instances easily for development and testing.
So yes, we would break the connector for the older versions: The effect is,
that security no longer works. All issues are ingested without access tokens
and are therefore visible to all search users.
A version query for dynamic adoption should work. Is there another connector
that does something like that?
> JIRA Repository Connector ignores issue security when ingesting from JIRA
> 8.20+
> ---
>
> Key: CONNECTORS-1713
> URL: https://issues.apache.org/jira/browse/CONNECTORS-1713
> Project: ManifoldCF
> Issue Type: Bug
> Components: JIRA connector
>Affects Versions: ManifoldCF 2.22
>Reporter: Markus Schuch
>Priority: Major
> Attachments: api-docs.png
>
>
> There was obviously a change in the behaviour of the JIRA Server REST API:
> The {{GET /rest/user/viewissue/search}} has a parameter {{username}}.
> In JIRA 8.13.x the value must be to double quotes ({{username=""}}) to fetch
> all users that have browse permission for the issue.
> In JIRA 8.20.x the value must be empty ({{username=}}).
> I found no information about this change in the JIRA Release Notes.
> I raised a question in the Atlassian Dev Community:
> https://community.developer.atlassian.com/t/rest-api-change-in-behaviour-of-find-users-with-browse-permission-get-rest-user-viewissue-search/58819
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
[jira] [Commented] (CONNECTORS-1713) JIRA Repository Connector ignores issue security when ingesting from JIRA 8.20+
[
https://issues.apache.org/jira/browse/CONNECTORS-1713?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17552637#comment-17552637
]
Karl Wright commented on CONNECTORS-1713:
-
[~schuch], are you saying the versions prior to 8.20 would be unsupported? Or
is it just that we don't know?
If we don't know, I'd say go ahead and make the needed repairs. If we DO know
that it would break, we could make the (new) behavior contingent on the results
of a version query to JIRA, correct?
> JIRA Repository Connector ignores issue security when ingesting from JIRA
> 8.20+
> ---
>
> Key: CONNECTORS-1713
> URL: https://issues.apache.org/jira/browse/CONNECTORS-1713
> Project: ManifoldCF
> Issue Type: Bug
> Components: JIRA connector
>Affects Versions: ManifoldCF 2.22
>Reporter: Markus Schuch
>Priority: Major
> Attachments: api-docs.png
>
>
> There was obviously a change in the behaviour of the JIRA Server REST API:
> The {{GET /rest/user/viewissue/search}} has a parameter {{username}}.
> In JIRA 8.13.x the value must be to double quotes ({{username=""}}) to fetch
> all users that have browse permission for the issue.
> In JIRA 8.20.x the value must be empty ({{username=}}).
> I found no information about this change in the JIRA Release Notes.
> I raised a question in the Atlassian Dev Community:
> https://community.developer.atlassian.com/t/rest-api-change-in-behaviour-of-find-users-with-browse-permission-get-rest-user-viewissue-search/58819
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
[jira] [Commented] (CONNECTORS-1713) JIRA Repository Connector ignores issue security when ingesting from JIRA 8.20+
[
https://issues.apache.org/jira/browse/CONNECTORS-1713?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17552585#comment-17552585
]
Markus Schuch commented on CONNECTORS-1713:
---
With CONNECTORS-1493 we have already experienced the situation the other way
round. Here we had to put the quotes in the query to make it still work.
[~kwri...@metacarta.com] are you okay with me adjusting the query to adapt to
JIRA Server Versions? (8.20+)
> JIRA Repository Connector ignores issue security when ingesting from JIRA
> 8.20+
> ---
>
> Key: CONNECTORS-1713
> URL: https://issues.apache.org/jira/browse/CONNECTORS-1713
> Project: ManifoldCF
> Issue Type: Bug
> Components: JIRA connector
>Affects Versions: ManifoldCF 2.22
>Reporter: Markus Schuch
>Priority: Major
> Attachments: api-docs.png
>
>
> There was obviously a change in the behaviour of the JIRA Server REST API:
> The {{GET /rest/user/viewissue/search}} has a parameter {{username}}.
> In JIRA 8.13.x the value must be to double quotes ({{username=""}}) to fetch
> all users that have browse permission for the issue.
> In JIRA 8.20.x the value must be empty ({{username=}}).
> I found no information about this change in the JIRA Release Notes.
> I raised a question in the Atlassian Dev Community:
> https://community.developer.atlassian.com/t/rest-api-change-in-behaviour-of-find-users-with-browse-permission-get-rest-user-viewissue-search/58819
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
[jira] [Commented] (CONNECTORS-1713) JIRA Repository Connector ignores issue security when ingesting from JIRA 8.20+
[
https://issues.apache.org/jira/browse/CONNECTORS-1713?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17552583#comment-17552583
]
Markus Schuch commented on CONNECTORS-1713:
---
No information was provided by the atlassian developer community after roughly
one week.
After reading the API docs again, i start to believe we probably use the API
out of specification.
The docmentation says _*no users returned if left blank*_ about the
{{username}} query parameter:
!api-docs.png!
I think it may be the case, that atlassian did not intend to provide an API to
retrieve any user with browse permission for an issue. The username filter
seems to be mandatory in the spec. But it is not even clear, how the filter
works.
> JIRA Repository Connector ignores issue security when ingesting from JIRA
> 8.20+
> ---
>
> Key: CONNECTORS-1713
> URL: https://issues.apache.org/jira/browse/CONNECTORS-1713
> Project: ManifoldCF
> Issue Type: Bug
> Components: JIRA connector
>Affects Versions: ManifoldCF 2.22
>Reporter: Markus Schuch
>Priority: Major
> Attachments: api-docs.png
>
>
> There was obviously a change in the behaviour of the JIRA Server REST API:
> The {{GET /rest/user/viewissue/search}} has a parameter {{username}}.
> In JIRA 8.13.x the value must be to double quotes ({{username=""}}) to fetch
> all users that have browse permission for the issue.
> In JIRA 8.20.x the value must be empty ({{username=}}).
> I found no information about this change in the JIRA Release Notes.
> I raised a question in the Atlassian Dev Community:
> https://community.developer.atlassian.com/t/rest-api-change-in-behaviour-of-find-users-with-browse-permission-get-rest-user-viewissue-search/58819
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
