JIRA Filters Returning Empty Set for Anonymous Users
Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.
Support for Server* products will end after February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
The information in this page relates to customizations in Jira. Consequently, Atlassian Support cannot guarantee to provide any support for the steps described on this page as customizations are not covered under Atlassian Support Offerings. Please be aware that this material is provided for your information only and that you use it at your own risk.
Also, please be aware that customizations done by directly modifying files are not included in the upgrade process. These modifications will need to be reapplied manually on the upgraded instance.
This KB was written for older versions of JIRA hence the resolution may not work for newer versions.
Although this KB does not appear to be functional in current JIRA versions, there is an existing feature request to disable public access to the JIRA site in - JRASERVER-65521Getting issue details... STATUS
From that page:
In JIRA 7.2.10 the possibility to disable public access for anonymous users was added, however it is still in labs state.
In order to disable public access for anonymous users, administrator needs to add a darkfeature public.access.disabled.
Here are the steps required for adding a dark feature in Jira:
- Login as an administrator and go to [BASE-URL]/secure/SiteDarkFeatures!default.jspa
- In the Enable Dark Feature text field add public.access.disabled
When a user who is not currently logged in into JIRA opens a link of a saved JIRA Filter (which they have received by email for example), the resulting page will simply state "No matching issues found". Instead of displaying this page, some users might expect the result would be for JIRA to automatically redirect anonymous users to a Login page. However this does not happen.
IssueNavigator URL is not protected by the seraph library login redirect facility, so the query will run with anonymous privileges.
Tune JIRA to force user login if requesting a filter URL while unauthenticated.
- Make a backup of your JIRA Application files or use a separate test instance.
- Edit <JIRA-INSTALL>/atlassian-jira/WEB-INF/classes/actions.xml, locate the action named issue.IssueNavigator and add the property
roles-required="user". The element should be like so:
<action name="issue.IssueNavigator" alias="IssueNavigator" roles-required="user"> <view name="success">/secure/views/navigator/navigator.jsp</view> <view name="error">/secure/views/navigator/navigator.jsp</view> </action>
- Test your instance for unwanted impact or side effects