/
Check user access to projects

Check user access to projects

Hosting

DATA CENTER

Problem

There are users who see projects that don't have access to in the Project Navigator.

Reference

Projectrak permissions approach

Manage permissions

Checks

  1. Disable the Projectrak "View all projects" option from Administration and test it from "Projects \ View all projts" menu
    Important:
    this operation must be performed using the affected user session. Not with a Jira admin session.


  2. Check if the user can access issues of Projects that shouldn't has access to
    1. Important: this operation must be performed using the affected user session. Not with a Jira admin session.
  3. Check the “Browse projects” permission on the project(s) that the user should not see



  4. Get User information using the Projectrak script console
    This code returns projects the user has access to, and groups which belongs to.
    It's done using just the Jira Java API. Not Projectrak API.

    import com.atlassian.jira.component.ComponentAccessor
    import com.atlassian.jira.bc.project.ProjectService
    import com.atlassian.jira.security.PermissionManager
    import com.atlassian.jira.security.Permissions
    import com.atlassian.jira.permission.ProjectPermissions
    
    def USERNAME = "<USERNAME>"
    def outcome = ""
    
    def projectService = ComponentAccessor.getComponent(ProjectService)
    def permissionManager = ComponentAccessor.getComponent(PermissionManager)
    def projectManager = ComponentAccessor.projectManager
    
    def user = ComponentAccessor.userManager.getUserByName(USERNAME)
    if (!user) return "ERROR:'${USERNAME}' not found"
    if (permissionManager.hasPermission(Permissions.ADMINISTER, user)) return "User '${USERNAME}' is a global admin and have access to all projects"
    
    outcome = "<p>- User: ${user}</p>"
    
    //Projects from "ProjectService"
    def userProjects1 = new ArrayList<String>()
    projectService.getAllProjects(user).get().each { project -> userProjects1.add(project.key)}
    outcome += "<p>- User projects from 'ProjectService': ${userProjects1.join(',')}</p>"
    
    //Projects from "ProjectManager" checking the "BROWSE_PROJECTS" permission.
    def userProjects2 = new ArrayList<String>()
    projectManager.getProjects().each { project ->
    if (permissionManager.hasPermission(ProjectPermissions.BROWSE_PROJECTS, project, user)) userProjects2.add(project.key)
    }
    outcome += "<p>- User projects from 'ProjectManager' with 'BROWSE_PROJECTS' permission: ${userProjects2.join(',')}</p>"
    
    //User groups
    def groups = new ArrayList<String>()
    def userGroups = ComponentAccessor.groupManager.getGroupsForUser(user)
    userGroups.each { group -> groups.add(group.name) }
    
    outcome += "<p>- User groups: ${groups.join(',')}</p>"
    
    


  5. Check user access to a project
    Check the access of this user to the project that souldn't have access to.

    import com.atlassian.jira.component.ComponentAccessor
    import com.atlassian.jira.security.PermissionManager
    import com.atlassian.jira.security.Permissions
    import com.atlassian.jira.permission.ProjectPermissions
    
    def USERNAME = "<USERNAME>"
    def PROJECTKEY = "<PROJECTKEY>"
    
    def userManager = ComponentAccessor.userManager
    def permissionManager = ComponentAccessor.getComponent(PermissionManager)
    def projectManager = ComponentAccessor.projectManager
    
    def user = userManager.getUserByName(USERNAME)
    if (!user) return "User '${USERNAME}' not found"
    
    def project = projectManager.getProjectByCurrentKey(PROJECTKEY)
    if (!project) return "Project '${PROJECTKEY}' not found"
    
    if (permissionManager.hasPermission(Permissions.ADMINISTER, user))
    return "User '${USERNAME}' is a global admin and have access to all projects"
    
    def hasProjectAccess = permissionManager.hasPermission(ProjectPermissions.BROWSE_PROJECTS, project, user)
    return "User '${USERNAME}' access to '${PROJECTKEY}' project: ${hasProjectAccess ? 'YES' : 'NO'}"
    
    



  6. Check user project roles
    Check the user project roles in a project that souldn't have access to.

    import com.atlassian.jira.component.ComponentAccessor
    import com.atlassian.jira.security.roles.ProjectRoleManager
    import com.atlassian.jira.project.Project
    
    def USERNAME = "<USERNAME>"
    def PROJECTKEY = "<PROJECTKEY>"
    
    def roles = new ArrayList<String>()
    def projectRoleManager = ComponentAccessor.getComponent(ProjectRoleManager)
    
    def user = ComponentAccessor.userManager.getUserByName(USERNAME)
    def project = ComponentAccessor.projectManager.getProjectObjByKey(PROJECTKEY)
    
    if (user && project) {
    	def projectRoles = projectRoleManager.getProjectRoles(user, project)
    	if (projectRoles) {
    		projectRoles.each { role -> roles.add(role) }
    	}
    }
    return "Roles: " + roles.join(",")
  7. Load the Project navigator and export the calls to the Projectrak backend

    Important: this operation must be performed using the affected user session. Not with a Jira admin session.

    1. Click the F12 keyboard button to open the browser console and switch to the “Network” tab.

    2. Load the Project Navigator.

    3. Export the browser logs to a “har” file.