Anonymous users are able to browse JIRA user base via REST API
プラットフォームについて: Server および Data Center のみ。この記事は、Server および Data Center プラットフォームのアトラシアン製品にのみ適用されます。
Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Fisheye および Crucible は除く
問題
Using any working REST endpoint as in JRASERVER-29069, anonymous users are able to retrieve the entire JIRA user base (without logging in JIRA).
JRASERVER-29069 - 課題詳細を取得中... ステータス
診断
JIRA does not allow Anonymous access. Anonymous users are required to log in before they can view projects and issues.
原因
Browse Users global permission is granted to Anyone.
ソリューション
If JIRA does not allow Anonymous access, it's not recommended to grant Browse Users global permission to Anyone. Dismissing Anyone from the permission will resolve the issue.