What is changing?
The GET avatars REST API will now enforce a permission check when fetching issue type avatars to only return custom avatars if the user has Browse projects permission for at least one project the issue type avatar is used in.
Additionally, when trying to view a custom issue type avatar using the
/secure/viewavatar endpoint, if the user does not have appropriate permission a system default avatar will be returned.
Why is it changing?
Previously this API would allow anonymous users to view custom issue type avatars. This presents a security risk as intruders can view avatar images uploaded by other users.
What do I need to do?
If you are using either of these endpoints and require custom avatars to be shown, you will need to ensure you are authenticated as a user with the appropriate permission.
By when do I need to do it?
The change will be rolled out no sooner than 5th April, 2021.