Anonymous users are able to browse JIRA user base via REST API

Related content

  • No related content found

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

Problem

Using any working REST endpoint as in JRASERVER-29069, anonymous users are able to retrieve the entire JIRA user base (without logging in JIRA).

JRASERVER-29069 - Getting issue details... STATUS

Diagnosis

JIRA does not allow Anonymous access. Anonymous users are required to log in before they can view projects and issues.

Cause

Browse Users global permission is granted to Anyone.

Resolution

If JIRA does not allow Anonymous access, it's not recommended to grant Browse Users global permission to Anyone. Dismissing Anyone from the permission will resolve the issue.


Last modified on Jul 27, 2018

Was this helpful?

Yes
No
Provide feedback about this article

Related content

  • No related content found
Powered by Confluence and Scroll Viewport.