Versions Compared

Old Version 2

changes.mady.by.user Carlos Morán Batuecas

Saved on

compared with

New Version Current

changes.mady.by.user Carlos Morán Batuecas

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Projectrak permissions approach

Manage permissions

Checks

  1. Load the Jira Browse Project page and check displays the same projects than the Project NavigatorDisable the Projectrak "View all projects" option from Administration and test it from "Projects \ View all projts" menu
    Important:     this operation must be performed using the affected user session. Not with a Jira admin session.
    https://<jira_baseURL>/secure/BrowseProjects.jspa?selectedCategory=all&selectedProjectType=all
    Image Removed


  2. Check if the user can access issues of Projects that shouldn't has access to
    1. Important: this operation must be performed using the affected user session. Not with a Jira admin session.
  3. Check the “Browse projects” permission on the project(s) that the user should not see



  4. Get User information using the Projectrak script console
    This code returns projects the user has access to, and groups which belongs to.
    It's done using just the Jira Java API. Not Projectrak API.

    Code Block
    import com.atlassian.jira.component.ComponentAccessor
import com.atlassian.jira.bc.project.ProjectService
import com.atlassian.jira.security.PermissionManager
import com.atlassian.jira.security.Permissions
import com.atlassian.jira.permission.ProjectPermissions

def USERNAME = "<USERNAME>"
def outcome = ""

def projectService = ComponentAccessor.getComponent(ProjectService)
def permissionManager = ComponentAccessor.getComponent(PermissionManager)
def projectManager = ComponentAccessor.projectManager

def user = ComponentAccessor.userManager.getUserByName(USERNAME)
if (!user) return "ERROR:'${USERNAME}' not found"
if (permissionManager.hasPermission(Permissions.ADMINISTER, user)) return "User '${USERNAME}' is a global admin and have access to all projects"

outcome = "<p>- User: ${user}</p>"

//Projects from "ProjectService"
def userProjects1 = new ArrayList<String>()
projectService.getAllProjects(user).get().each { project -> userProjects1.add(project.key)}
outcome += "<p>- User projects from 'ProjectService': ${userProjects1.join(',')}</p>"

//Projects from "ProjectManager" checking the "BROWSE_PROJECTS" permission.
def userProjects2 = new ArrayList<String>()
projectManager.getProjects().each { project ->
if (permissionManager.hasPermission(ProjectPermissions.BROWSE_PROJECTS, project, user)) userProjects2.add(project.key)
}
outcome += "<p>- User projects from 'ProjectManager' with 'BROWSE_PROJECTS' permission: ${userProjects2.join(',')}</p>"

//User groups
def groups = new ArrayList<String>()
def userGroups = ComponentAccessor.groupManager.getGroupsForUser(user)
userGroups.each { group -> groups.add(group.name) }

outcome += "<p>- User groups: ${groups.join(',')}</p>"


  5. Check user access to a project
    Check the access of this user to the project that souldn't have access to.

    Code Block
    import com.atlassian.jira.component.ComponentAccessor
import com.atlassian.jira.security.PermissionManager
import com.atlassian.jira.security.Permissions
import com.atlassian.jira.permission.ProjectPermissions

def USERNAME = "<USERNAME>"
def PROJECTKEY = "<PROJECTKEY>"

def userManager = ComponentAccessor.userManager
def permissionManager = ComponentAccessor.getComponent(PermissionManager)
def projectManager = ComponentAccessor.projectManager

def user = userManager.getUserByName(USERNAME)
if (!user) return "User '${USERNAME}' not found"

def project = projectManager.getProjectByCurrentKey(PROJECTKEY)
if (!project) return "Project '${PROJECTKEY}' not found"

if (permissionManager.hasPermission(Permissions.ADMINISTER, user))
return "User '${USERNAME}' is a global admin and have access to all projects"

def hasProjectAccess = permissionManager.hasPermission(ProjectPermissions.BROWSE_PROJECTS, project, user)
return "User '${USERNAME}' access to '${PROJECTKEY}' project: ${hasProjectAccess ? 'YES' : 'NO'}"



  6. Check user project roles
    Check the user project roles in a project that souldn't have access to.

    Code Block
    import com.atlassian.jira.component.ComponentAccessor
import com.atlassian.jira.security.roles.ProjectRoleManager
import com.atlassian.jira.project.Project

def USERNAME = "<USERNAME>"
def PROJECTKEY = "<PROJECTKEY>"

def roles = new ArrayList<String>()
def projectRoleManager = ComponentAccessor.getComponent(ProjectRoleManager)

def user = ComponentAccessor.userManager.getUserByName(USERNAME)
def project = ComponentAccessor.projectManager.getProjectObjByKey(PROJECTKEY)

if (user && project) {
	def projectRoles = projectRoleManager.getProjectRoles(user, project)
	if (projectRoles) {
		projectRoles.each { role -> roles.add(role) }
	}
}
return "Roles: " + roles.join(",")


  7. Load the Project navigator and export the calls to the Projectrak backend

    Important: this operation must be performed using the affected user session. Not with a Jira admin session.

    1. Click the F12 keyboard button to open the browser console and switch to the “Network” tab.

    2. Load the Project Navigator.

    3. Export the browser logs to a “har” file.


...