JIRA Filters Returning Empty Set for Anonymous Users
This article only applies to Atlassian's server products. Learn more about the differences between cloud and server.
The information in this page relates to customisations in JIRA. Consequently, Atlassian Support cannot guarantee to provide any support for the steps described on this page as customisations are not covered under Atlassian Support Offerings. Please be aware that this material is provided for your information only and that you use it at your own risk.
Also, please be aware that customisations done by directly modifying files are not included in the upgrade process. These modifications will need to be reapplied manually on the upgraded instance.
This KB was written for older versions of JIRA hence the resolution may not work for newer versions.
Although this KB does not appear to be functional in current JIRA versions, there is an existing feature request to disable public access to the JIRA site in - JRASERVER-65521Getting issue details... STATUS
From that page:
In JIRA 7.2.10 the possibility to disable public access for anonymous users was added, however it is still in labs state.
In order to disable public access for anonymous users, administrator needs to add a darkfeature public.access.disabled.
Here are the steps required for adding a dark feature in Jira:
- Login as an administrator and go to [BASE-URL]/secure/SiteDarkFeatures!default.jspa
- In the Enable Dark Feature text field add public.access.disabled
When a user who is not currently logged in into JIRA opens a link of a saved JIRA Filter (which they have received by email for example), the resulting page will simply state "No matching issues found". Instead of displaying this page, some users might expect the result would be for JIRA to automatically redirect anonymous users to a Login page. However this does not happen.
IssueNavigator URL is not protected by the seraph library login redirect facility, so the query will run with anonymous privileges.
Tune JIRA to force user login if requesting a filter URL while unauthenticated.
- Make a backup of your JIRA Application files or use a separate test instance
Edit <JIRA-INSTALL>/atlassian-jira/WEB-INF/classes/actions.xml, locate the action named issue.IssueNavigator and add the property
roles-required="user". The element should be like so:
<action name="issue.IssueNavigator" alias="IssueNavigator" roles-required="user"> <view name="success">/secure/views/navigator/navigator.jsp</view> <view name="error">/secure/views/navigator/navigator.jsp</view> </action>
- Test your instance for unwanted impact or side effects