JIRA Filters Returning Empty Set for Anonymous Users

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

The information in this page relates to customizations in Jira. Consequently, Atlassian Support cannot guarantee to provide any support for the steps described on this page as customizations are not covered under Atlassian Support Offerings. Please be aware that this material is provided for your information only and that you use it at your own risk.

Also, please be aware that customizations done by directly modifying files are not included in the upgrade process. These modifications will need to be reapplied manually on the upgraded instance.

This KB was written for older versions of JIRA hence the resolution may not work for newer versions.

Although this KB does not appear to be functional in current JIRA versions, there is an existing feature request to disable public access to the JIRA site in JRASERVER-65521 - Getting issue details... STATUS

From that page:

Workaround:
In JIRA 7.2.10 the possibility to disable public access for anonymous users was added, however it is still in labs state.

In order to disable public access for anonymous users, administrator needs to add a darkfeature public.access.disabled.
Here are the steps required for adding a dark feature in Jira:

  • Login as an administrator and go to [BASE-URL]/secure/SiteDarkFeatures!default.jspa
  • In the Enable Dark Feature text field add public.access.disabled



Symptoms

When a user who is not currently logged in into JIRA opens a link of a saved JIRA Filter (which they have received by email for example), the resulting page will simply state "No matching issues found".  Instead of displaying this page, some users might expect the result would be for JIRA to automatically redirect anonymous users to a Login page.  However this does not happen.

Cause

The IssueNavigator URL is not protected by the seraph library login redirect facility, so the query will run with anonymous privileges.

Resolution

Tune JIRA to force user login if requesting a filter URL while unauthenticated.

  1. Make a backup of your JIRA Application files or use a separate test instance. 
  2. Edit <JIRA-INSTALL>/atlassian-jira/WEB-INF/classes/actions.xml, locate the action named issue.IssueNavigator and add the property roles-required="user". The element should be like so:
    <action name="issue.IssueNavigator" alias="IssueNavigator" roles-required="user">
       <view name="success">/secure/views/navigator/navigator.jsp</view>
       <view name="error">/secure/views/navigator/navigator.jsp</view>
    </action>
    
  3. Test your instance for unwanted impact or side effects

Last modified on Jan 2, 2023

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.