Anonymous users able to see shared filters, dashboards, or project issues in Jira
Platform Notice: Data Center - This article applies to Atlassian products on the Data Center platform.
Note that this knowledge base article was created for the Data Center version of the product. Data Center knowledge base articles for non-Data Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Symptoms
Whether the user is logged in or not in Jira applications they are able to see some shared filters and/or dashboards and/or project issues. Basically, the instance is externally exposed to non-logged users. There's nothing logged in atlassian-jira.log.
Cause
Every access to Jira applications is performed as a given user. If you're not logged in, the system automatically uses "anonymous" as user. This is important because filters, dashboards and permission schemes are able to grant privileges to groups and sets of users. One of those groups is anyone - this set of users includes the 'anonymous' user. So, if you grant it any permission or share privilege your instance will be partially exposed.
JRASERVER-29503 - Wording for sharing Filters and Dashboards with Everyone is misleading fixed in 6.4.1 and later
JRASERVER-23255 - Shared filters are visible to anonymous users when shared with 'Everyone' implemented in Jira 7.2.2 and later
JRASERVER-18076 - Warn about assigning "Anyone" group in Global and Project permissions implemented in Jira 8.4.0, 8.5.0 and later
JRASERVER-65380 - Anonymous user is unable to access Manage Dashboard page via UI fixed in 10.3.0 and later
Resolution
If you use Jira 8.4 and later than several security fixes have been introduced to remedy the issue. Read about the changes here.
Filters and Dashboards
Adjust the filter or dashboard so that it is no longer shared with Anyone or Public.
- To share with all logged in users select a group containing all Jira users.
- You may need to select multiple groups if you do not have a single group containing all users
- As of Jira 7.2 you are able to select "Any logged-in user"
Jira Administrators are able to find Filters and Dashboards available to anonymous users by looking for Shared with all users or Shared with the public on the 'Manage Filters' and 'Manage Dashboards' pages. The administrator can contact the filter or dashboard owner to change the share, or the administrator can take ownership and adjust the share. See the following knowledge base article to retrieve the list from the database: JIRA get list of all filters shared with everyone
- Manage Filters and Manage Dashboards are located in Jira Administration
- Versions older than 6.3 - Located in Jira Administration > User Management
- Versions 6.3 and newer - Located in Jira Administration > System
Project Issues
Review each Permission Scheme and adjust permissions granted to Anyone. For example, remove "Anyone" from the "Browse Project" permission if issues are visible without being logged in.