Jira notifications (batched and non-batched) not sent anymore to users who don't have application access after Jira upgrade to 8.19.0+

Still need help?

The Atlassian Community is here for you.

Ask the community

Platform notice: Server and Data Center only. This article only applies to Atlassian products on the Server and Data Center platforms.

Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.

*Except Fisheye and Crucible

   

Summary

After upgrading Jira to 8.19.0 (or any higher version), Jira users who don't have application access no longer receive Jira notifications related to issue updates that they are involved in (by being the reporter, assignee, watcher, component leader, ...).
However, such users still receive the mention-type notification (by being tagged in a comment).

Environment

The following Jira versions are impacted:

  • Any 8.19.x version
  • The versions 8.20.0 to 8.20.5 included
  • Any 8.21.x version
  • The version 8.22.0

Note: this behavior only impacts Jira notifications (batched and non-batched), not to be confused with customer notifications from Jira Service Management projects.

Diagnosis

  • The issue occurs:
    • after upgrading to Jira 8.19.0 or any higher version (or in a fresh Jira 8.19.0+ instance)
    • with any type of project (Core, Software, Service Management)
    • whether the batched notifications are disabled or enabled
  • The issue only impacts Jira users who don't have Jira application access (via a Jira license)
  • For the impacted user who is not receiving Jira notifications:
    • The permission helper (accessible from ⚙ > System > Permission helper) is showing that the user has the permission to access the issue (via the Browse Project  permission)
    • The notification helper (accessible from ⚙ > System > Notification helper) is showing that the user is eligible to receive a notification (due to how the notification scheme is configured for the project)

Cause

There was a change introduced in Jira 8.19.0 which impacts the way Jira notifications are sent, due to the vulnerability bug tracked in  JRASERVER-72737 - Getting issue details... STATUS

Up to Jira 8.18.x, Jira users did not need to have Jira application access to receive Jira notifications from an issue, as long as this user verified the 2 following conditions:

  • had access to the Jira issue
  • was eligible to receive a notification from this issue for specific events, as per the notification scheme configuration

Since this behavior was recently considered as a vulnerability issue, there is now a 3rd condition which is necessary for Jira users to receive notifications: users now need to have Jira application access (via a Jira license).

(warning) Note: this new change only impacts Jira notification sent based upon the notification scheme (upon issue creation, update, comment, etc...). This change does not impact the mention-type notifications. If a user without application access is tagged in a Jira comment, this user will receive the notifications.

Solution

Solution 1

Grant application access to the impacted users, by adding them to a group which is configured to provide application access, per Manage group access to applications.

Solution 2

Upgrade the Jira application to 8.20.6 (or any higher version within 8.20.x), or 8.22.1 (or any version above this one), and enable the Dark Feature Flag below:

com.atlassian.jira.send.email.notifications.to.user.without.application.access.enabled

(warning) Note that the Jira versions 8.21.x do not contain this dark feature, so if you are using Jira 8.21.x, you will need to upgrade to 8.22.1 or any higher version.

Related 

JRASERVER-73165 - Getting issue details... STATUS



Last modified on Feb 22, 2022

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.