Adding browse project permission check for viewing custom issue type avatars

What is changing?

The GET avatars REST API will now enforce a permission check when fetching issue type avatars to only return custom avatars if the user has Browse projects permission for at least one project the issue type avatar is used in.

Additionally, when trying to view a custom issue type avatar using the /secure/viewavatar endpoint, if the user does not have appropriate permission a system default avatar will be returned.

Why is it changing?

Previously this API would allow anonymous users to view custom issue type avatars. This presents a security risk as intruders can view avatar images uploaded by other users.

What do I need to do?

If you are using either of these endpoints and require custom avatars to be shown, you will need to ensure you are authenticated as a user with the appropriate permission.

By when do I need to do it?

The change will be rolled out no sooner than 5th April, 2021.

2 Likes

While I appreciate the importance of this update, it potentially causes issues given that uploading custom issuetype icons was the best way of uploading custom priority icons on Jira cloud (the recommended method is to upload them as attachments but this then requires a project which can be accessed by everybody, not always desirable if there are security concerns and very clunky). Perhaps it is time to revisit https://jira.atlassian.com/browse/JRACLOUD-21246 to allow proper upload of custom icons (or at least add a global permission to allow control of access to these issuetype icons)?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.