...
Projectrak permissions approach
Checks
- Load the Jira Browse Project page and check displays the same projects than the Project NavigatorDisable the Projectrak "View all projects" option from Administration and test it from "Projects \ View all projts" menu
Important: this operation must be performed using the affected user session. Not with a Jira admin session.https://<jira_baseURL>/secure/BrowseProjects.jspa?selectedCategory=all&selectedProjectType=all
- Check if the user can access issues of Projects that shouldn't has access to
- Important: this operation must be performed using the affected user session. Not with a Jira admin session.
- Important: this operation must be performed using the affected user session. Not with a Jira admin session.
- Check the “Browse projects” permission on the project(s) that the user should not see
Get User information using the Projectrak script console
This code returns projects the user has access to, and groups which belongs to.
It's done using just the Jira Java API. Not Projectrak API.Code Block import com.atlassian.jira.component.ComponentAccessor import com.atlassian.jira.bc.project.ProjectService import com.atlassian.jira.security.PermissionManager import com.atlassian.jira.security.Permissions import com.atlassian.jira.permission.ProjectPermissions def USERNAME = "<USERNAME>" def outcome = "" def projectService = ComponentAccessor.getComponent(ProjectService) def permissionManager = ComponentAccessor.getComponent(PermissionManager) def projectManager = ComponentAccessor.projectManager def user = ComponentAccessor.userManager.getUserByName(USERNAME) if (!user) return "ERROR:'${USERNAME}' not found" if (permissionManager.hasPermission(Permissions.ADMINISTER, user)) return "User '${USERNAME}' is a global admin and have access to all projects" outcome = "<p>- User: ${user}</p>" //Projects from "ProjectService" def userProjects1 = new ArrayList<String>() projectService.getAllProjects(user).get().each { project -> userProjects1.add(project.key)} outcome += "<p>- User projects from 'ProjectService': ${userProjects1.join(',')}</p>" //Projects from "ProjectManager" checking the "BROWSE_PROJECTS" permission. def userProjects2 = new ArrayList<String>() projectManager.getProjects().each { project -> if (permissionManager.hasPermission(ProjectPermissions.BROWSE_PROJECTS, project, user)) userProjects2.add(project.key) } outcome += "<p>- User projects from 'ProjectManager' with 'BROWSE_PROJECTS' permission: ${userProjects2.join(',')}</p>" //User groups def groups = new ArrayList<String>() def userGroups = ComponentAccessor.groupManager.getGroupsForUser(user) userGroups.each { group -> groups.add(group.name) } outcome += "<p>- User groups: ${groups.join(',')}</p>"
Check user access to a project
Check the access of this user to the project that souldn't have access to.Code Block import com.atlassian.jira.component.ComponentAccessor import com.atlassian.jira.security.PermissionManager import com.atlassian.jira.security.Permissions import com.atlassian.jira.permission.ProjectPermissions def USERNAME = "<USERNAME>" def PROJECTKEY = "<PROJECTKEY>" def userManager = ComponentAccessor.userManager def permissionManager = ComponentAccessor.getComponent(PermissionManager) def projectManager = ComponentAccessor.projectManager def user = userManager.getUserByName(USERNAME) if (!user) return "User '${USERNAME}' not found" def project = projectManager.getProjectByCurrentKey(PROJECTKEY) if (!project) return "Project '${PROJECTKEY}' not found" if (permissionManager.hasPermission(Permissions.ADMINISTER, user)) return "User '${USERNAME}' is a global admin and have access to all projects" def hasProjectAccess = permissionManager.hasPermission(ProjectPermissions.BROWSE_PROJECTS, project, user) return "User '${USERNAME}' access to '${PROJECTKEY}' project: ${hasProjectAccess ? 'YES' : 'NO'}"
Check user project roles
Check the user project roles in a project that souldn't have access to.Code Block import com.atlassian.jira.component.ComponentAccessor import com.atlassian.jira.security.roles.ProjectRoleManager import com.atlassian.jira.project.Project def USERNAME = "<USERNAME>" def PROJECTKEY = "<PROJECTKEY>" def roles = new ArrayList<String>() def projectRoleManager = ComponentAccessor.getComponent(ProjectRoleManager) def user = ComponentAccessor.userManager.getUserByName(USERNAME) def project = ComponentAccessor.projectManager.getProjectObjByKey(PROJECTKEY) if (user && project) { def projectRoles = projectRoleManager.getProjectRoles(user, project) if (projectRoles) { projectRoles.each { role -> roles.add(role) } } } return "Roles: " + roles.join(",")
- Load the Project navigator and export the calls to the Projectrak backend
Important: this operation must be performed using the affected user session. Not with a Jira admin session.Click the F12 keyboard button to open the browser console and switch to the “Network” tab.
Load the Project Navigator.
Export the browser logs to a “har” file.
Related articles
...