Summary

After upgrading Jira to 8.19.0 (or any higher version), Jira users who don't have application access no longer receive Jira notifications related to issue updates that they are involved in (by being the reporter, assignee, watcher, component leader, ...).

Environment

The following Jira versions are impacted:

• Any 8.19.x version
• The versions 8.20.0 to 8.20.5 included
• Any 8.21.x version
• The version 8.22.0

Note: this behavior only impacts Jira notifications (batched and non-batched), not to be confused with customer notifications from Jira Service Management projects.

Diagnosis

• The issue occurs:
  • after upgrading to Jira 8.19.0 or any higher version (or in a fresh Jira 8.19.0+ instance)
  • with any type of project (Core, Software, Service Management)
  • whether the batched notifications are disabled or enabled
• The issue only impacts Jira users who don't have Jira application access (via a Jira license)
  
• For the impacted user who is not receiving Jira notifications:
  • The permission helper (accessible from ⚙ > System > Permission helper) is showing that the user has the permission to access the issue (via the Browse Project  permission)
    
  • The notification helper (accessible from ⚙ > System > Notification helper) is showing that the user is eligible to receive a notification (due to how the notification scheme is configured for the project)
    

Cause

There was a change introduced in Jira 8.19.0 which impacts the way Jira notifications are sent, due to the vulnerability bug tracked in  JRASERVER-72737 - Getting issue details... STATUS

Up to Jira 8.18.x, Jira users did not need to have Jira application access to receive Jira notifications from an issue, as long as this user verified the 2 following conditions:

• had access to the Jira issue
• was eligible to receive a notification from this issue for specific events, as per the notification scheme configuration

Since this behavior was recently considered as a vulnerability issue, there is now a 3rd condition which is necessary for Jira users to receive notifications: users now need to have Jira application access (via a Jira license).

Notes:

• This change only impacts Jira notification sent based upon the notification scheme (upon issue creation, update, comment, etc...).
• This change does not impact the way the mention notifications work:
  • If a user without application access is tagged in a Jira comment, this user might or might receive the notifications depending on various parameters such as the type of project, and whether Jira notification batching is enabled or not
  • Please refer to the bug https://jira.atlassian.com/browse/JRASERVER-77638 for the inconsistencies around how the mention notifications are sent or not sent to unlicensed users

Solution

Solution 1

Grant application access to the impacted users, by adding them to a group which is configured to provide application access, per Manage group access to applications.

Solution 2

Upgrade the Jira application to 8.20.6 (or any higher version within 8.20.x), or 8.22.1 (or any version above this one), and enable the Dark Feature Flag below:

com.atlassian.jira.send.email.notifications.to.user.without.application.access.enabled

 Note that the Jira versions 8.21.x do not contain this dark feature, so if you are using Jira 8.21.x, you will need to upgrade to 8.22.1 or any higher version.

Related 

JRASERVER-73165 - Getting issue details... STATUS