Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Projectrak permissions approach

Manage permissions

Checks

  1. Load the Jira Browse Project page and check displays the same projects than the Project NavigatorDisable the Projectrak "View all projects" option from Administration and test it from "Projects \ View all projts" menu
    Important:
    this operation must be performed using the affected user session. Not with a Jira admin session.
    https://<jira_baseURL>/secure/BrowseProjects.jspa?selectedCategory=all&selectedProjectType=all
    Image Removed



  2. Check if the user can access issues of Projects that shouldn't has access to
    1. Important: this operation must be performed using the affected user session. Not with a Jira admin session.
  3. Check the “Browse projects” permission on the project(s) that the user should not see



  4. Get User information using the Projectrak script console
    This code returns projects the user has access to, and groups which belongs to.
    It's done using just the Jira Java API. Not Projectrak API.

    Code Block
    import com.atlassian.jira.component.ComponentAccessor
    import com.atlassian.jira.bc.project.ProjectService
    import com.atlassian.jira.security.PermissionManager
    import com.atlassian.jira.security.Permissions
    import com.atlassian.jira.permission.ProjectPermissions
    
    def USERNAME = "<USERNAME>"
    def outcome = ""
    
    def projectService = ComponentAccessor.getComponent(ProjectService)
    def permissionManager = ComponentAccessor.getComponent(PermissionManager)
    def projectManager = ComponentAccessor.projectManager
    
    def user = ComponentAccessor.userManager.getUserByName(USERNAME)
    if (!user) return "ERROR:'${USERNAME}' not found"
    if (permissionManager.hasPermission(Permissions.ADMINISTER, user)) return "User '${USERNAME}' is a global admin and have access to all projects"
    
    outcome = "<p>- User: ${user}</p>"
    
    //Projects from "ProjectService"
    def userProjects1 = new ArrayList<String>()
    projectService.getAllProjects(user).get().each { project -> userProjects1.add(project.key)}
    outcome += "<p>- User projects from 'ProjectService': ${userProjects1.join(',')}</p>"
    
    //Projects from "ProjectManager" checking the "BROWSE_PROJECTS" permission.
    def userProjects2 = new ArrayList<String>()
    projectManager.getProjects().each { project ->
    if (permissionManager.hasPermission(ProjectPermissions.BROWSE_PROJECTS, project, user)) userProjects2.add(project.key)
    }
    outcome += "<p>- User projects from 'ProjectManager' with 'BROWSE_PROJECTS' permission: ${userProjects2.join(',')}</p>"
    
    //User groups
    def groups = new ArrayList<String>()
    def userGroups = ComponentAccessor.groupManager.getGroupsForUser(user)
    userGroups.each { group -> groups.add(group.name) }
    
    outcome += "<p>- User groups: ${groups.join(',')}</p>"
    
    


  5. Check user access to a project
    Check the access of this user to the project that souldn't have access to.

    Code Block
    import com.atlassian.jira.component.ComponentAccessor
    import com.atlassian.jira.security.PermissionManager
    import com.atlassian.jira.security.Permissions
    import com.atlassian.jira.permission.ProjectPermissions
    
    def USERNAME = "<USERNAME>"
    def PROJECTKEY = "<PROJECTKEY>"
    
    def userManager = ComponentAccessor.userManager
    def permissionManager = ComponentAccessor.getComponent(PermissionManager)
    def projectManager = ComponentAccessor.projectManager
    
    def user = userManager.getUserByName(USERNAME)
    if (!user) return "User '${USERNAME}' not found"
    
    def project = projectManager.getProjectByCurrentKey(PROJECTKEY)
    if (!project) return "Project '${PROJECTKEY}' not found"
    
    if (permissionManager.hasPermission(Permissions.ADMINISTER, user))
    return "User '${USERNAME}' is a global admin and have access to all projects"
    
    def hasProjectAccess = permissionManager.hasPermission(ProjectPermissions.BROWSE_PROJECTS, project, user)
    return "User '${USERNAME}' access to '${PROJECTKEY}' project: ${hasProjectAccess ? 'YES' : 'NO'}"
    
    



  6. Check user project roles
    Check the user project roles in a project that souldn't have access to.

    Code Block
    import com.atlassian.jira.component.ComponentAccessor
    import com.atlassian.jira.security.roles.ProjectRoleManager
    import com.atlassian.jira.project.Project
    
    def USERNAME = "<USERNAME>"
    def PROJECTKEY = "<PROJECTKEY>"
    
    def roles = new ArrayList<String>()
    def projectRoleManager = ComponentAccessor.getComponent(ProjectRoleManager)
    
    def user = ComponentAccessor.userManager.getUserByName(USERNAME)
    def project = ComponentAccessor.projectManager.getProjectObjByKey(PROJECTKEY)
    
    if (user && project) {
    	def projectRoles = projectRoleManager.getProjectRoles(user, project)
    	if (projectRoles) {
    		projectRoles.each { role -> roles.add(role) }
    	}
    }
    return "Roles: " + roles.join(",")


  7. Load the Project navigator and export the calls to the Projectrak backend

    Important: this operation must be performed using the affected user session. Not with a Jira admin session.

    1. Click the F12 keyboard button to open the browser console and switch to the “Network” tab.

    2. Load the Project Navigator.

    3. Export the browser logs to a “har” file.

    Image RemovedImage Added


...