Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Verify requesting user view permission #41

Open
eloo opened this issue Aug 29, 2017 · 8 comments
Open

Verify requesting user view permission #41

eloo opened this issue Aug 29, 2017 · 8 comments
Labels
enhancement

Comments

@eloo
Copy link

eloo commented Aug 29, 2017

Relating to security and privacy it would be great if the requesting user could be verified that he is permitted to view the request issue.
If the user has access the issue should be posted otherwise nothing should happen.

Do you plan to implement such a security feature?
@gustavkarlsson
Copy link
Owner

It sounds like a great idea. I'm not sure how easy it is, but I'll have a look at it.

@eloo
Copy link
Author

eloo commented Aug 29, 2017

okay. thanks

@gustavkarlsson
Copy link
Owner

The following REST call seems to accomplish this so I think there is a way forward: https://docs.atlassian.com/jira/REST/cloud/#api/2/user-findUsersWithBrowsePermission

@eloo Just to clarify something: Doing this only really works if the user names in rocket-chat matches those in JIRA. I hope this is the case in your organization.

@eloo
Copy link
Author

eloo commented Sep 4, 2017

@gustavkarlsson nice research done from your site.
this endpoint is exactly what we need.

yeah normally the username is the email address of a user. this, i guess, applies to most companies.

maybe this feature should be configurable (enable/disable)

@gustavkarlsson
Copy link
Owner

@eloo It should definitely be configurable (and disabled by default).

However, I've been thinking more about security issues lately, and I'm weary of the false sense of security this gives users...

If the JIRA setup contains issues that are hidden from some users, others that have the permission to view it might accidentally "expose" it merely by mentioning the issue key.

This is already an issue if the "login user" if given access to limited visibility issues, but at least that can be managed by a security-aware admin.

Maybe a better solution would be to only show issues that are visible to all users?

@eloo
Copy link
Author

eloo commented Sep 4, 2017

@gustavkarlsson yeah we discussed this too but the requester should be aware of who is reading a message. because other may non-public content could also be shared by simply chatting around.
the vulnerability we want to fix with the requester verification is a simple bruteforce attack on an issue-key. and this could be done by verifing who is requesting an issuekey

@gustavkarlsson
Copy link
Owner

You've got a point there. I'll have to document this behavior so that people understand the implications, but I think this is still probably the best solution to the problem.

@eloo
Copy link
Author

eloo commented Sep 4, 2017

yes this must be documented.
further in future a check for all readers in a room could be useful to. but in first instance requester verification is quit good!

@gustavkarlsson gustavkarlsson changed the title Verify requesting user Verify requesting user view permission Sep 5, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gustavkarlsson @eloo