@akassab, @vendors
I want to report (ask about) the problem with /rest/api/2/user/search REST endpoint that looks like a bug.
We have performed the last step of the GDPR migration (replaced the user keys with accountID in our database). We used the aforementioned endpoint to search for users and their accountID by sending user keys in the query.
Most of the requests returned expected data. One of the expected responses was empty HTTP 200 which could mean that user is no longer there (we assumed that it could happen).
When analyzing logs, we discovered that for some Jira instances 100% responses returned empty HTTP 200. That looked worrying, so we started the investigation (please note that we asked only for a subset of Jira users so we might have bad luck getting 100% of empty responses).
Unfortunately, we were able to reproduce that behavior (an empty response for an existing user) on our production Jira instance by removing the “Browse users and groups” permission for “jira-servicedesk-users” group. And it looks like a serious issue.
Important facts:
- calls were made from the server side as an app (which holds READ and ADMIN permissions)
- in Jira UI it is no longer possible to see the app user and give/reject permissions on that basis.
- we have asked/search for a regular user who is present in (and has access to) Jira Core and Software
- restoring permissions (“Browse users and groups”) to group “jira-servicedesk-users” made the search endpoint return correct (non-empty) data again.
The above looks like a Jira bug that prevents us from migrating all stored user data to accountID.
Did anyone face it?
Thanks,
Jack