JIRA Filters Returning Empty Set for Anonymous Users

Still need help?

The Atlassian Community is here for you.

Ask the community

This article only applies to Atlassian's server products. Learn more about the differences between cloud and server.

The information in this page relates to customisations in JIRA. Consequently, Atlassian Support cannot guarantee to provide any support for the steps described on this page as customisations are not covered under Atlassian Support Offerings. Please be aware that this material is provided for your information only and that you use it at your own risk.

Also, please be aware that customisations done by directly modifying files are not included in the upgrade process. These modifications will need to be reapplied manually on the upgraded instance.

This KB was written for older versions of JIRA hence the resolution may not work for newer versions.

Although this KB does not appear to be functional in current JIRA versions, there is an existing feature request to disable public access to the JIRA site in JRASERVER-65521 - Getting issue details... STATUS

From that page:

Workaround:
In JIRA 7.2.10 the possibility to disable public access for anonymous users was added, however it is still in labs state.

In order to disable public access for anonymous users, administrator needs to add a darkfeature public.access.disabled.
Here are the steps required for adding a dark feature in Jira:

  • Login as an administrator and go to [BASE-URL]/secure/SiteDarkFeatures!default.jspa
  • In the Enable Dark Feature text field add public.access.disabled



Symptoms

When a user who is not currently logged in into JIRA opens a link of a saved JIRA Filter (which they have received by email for example), the resulting page will simply state "No matching issues found".  Instead of displaying this page, some users might expect the result would be for JIRA to automatically redirect anonymous users to a Login page.  However this does not happen.

Cause

The IssueNavigator URL is not protected by the seraph library login redirect facility, so the query will run with anonymous privileges.

Resolution

Tune JIRA to force user login if requesting a filter URL while unauthenticated.

  1. Make a backup of your JIRA Application files or use a separate test instance
  2. Edit <JIRA-INSTALL>/atlassian-jira/WEB-INF/classes/actions.xml, locate the action named issue.IssueNavigator and add the property roles-required="user". The element should be like so:
    <action name="issue.IssueNavigator" alias="IssueNavigator" roles-required="user">
       <view name="success">/secure/views/navigator/navigator.jsp</view>
       <view name="error">/secure/views/navigator/navigator.jsp</view>
    </action>
    
  3. Test your instance for unwanted impact or side effects

Last modified on Mar 28, 2019

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.