Improve Share Accessibility when user in Jira instance is disabled/removed

Description

When shares are accessed via user API calls and the users linked to these shares are no longer available,
the shares become inaccessible to external users.

Definition:
Access → Jira user account has no access to Jira or account was deleted or maybe some other cases??

We can provide in project configuration an option to automatically select new share actor
if previous share actor lost access to Jira instance.

Can we detect this upon share render?
If yes and we detect that share owner lost access we should change share actor to the one from project configuration.

Can we detect this upon share render - Yes, we can detect it and change actor.

What was done within this ticket:

  • Added enable/disable button and user picker in project config, to automatically set reserve actor

  • In case of opening share by external link:

    • If current actor has no permission to access Jira instance, we check if reserve actor (one from project config) has permission.

    • If also does not have access, we display the share as if was disabled.

    • If reserve actor has access, we open share as reserve actor (but not change actor permanently in the db)

    • Logic of checking if actor has access to Jira instance:

  • In case of user API calls :

    • The situation looks similar to the above, except that if the user does not have access to the Jira instance then 401 UNAUTHORIZED is returned.

For Testing:

How that can be tested?- Just by giving/removing access to user account to Jira instance and trying to open share in normal way or API call.

Due to my research, there are three cases if user has no access to Jira instance:

  • User access is suspended

  • User account status is active, but does not belong to group membership

  • User’s account is deleted

Attachments

image-20250329-...
70.9 KiB
image-20250329-...
117.7 KiB
image-20250329-...
63.7 KiB
image-20250329-...
90.0 KiB
image-20250329-...
76.3 KiB
image-20250329-...
105.3 KiB
image-20250329-...
114.4 KiB
image-20250329-...
63.0 KiB
image-20250329-...
63.0 KiB
image-20250329-...
114.4 KiB
image-20250329-...
117.7 KiB
image-20250329-...
63.7 KiB
image-20250329-...
70.9 KiB
image-20250329-...
105.3 KiB
image-20250329-...
90.0 KiB
image-20250329-...
76.3 KiB
image-20250328-...
55.5 KiB

Child issues

Issue Type Icon ESFJ-1363 Share actor Priority: Lowest
Released

Linked issues

relates to
Issue Type Icon ESFJ-567 Error arises when accessing issues updated by deleted users Priority: Medium
Released
Issue Type Icon SUP-242 Getting error message when navigating to an issue Priority: Medium
Closed

Activity

Show:
Daniel Siara 28 April 2025, 17:11

@Krzysztof Bogdan Cron added, previous logic removed. Can you take a look?

Daniel Siara 16 April 2025, 17:08

@Krzysztof Bogdan 🏓

Krzysztof Bogdan 3 April 2025, 08:14

@Daniel Siara Changes requested

Daniel Siara 31 March 2025, 10:35

@Krzysztof Bogdan Description updated, so can you take a look into code?

Krzysztof Bogdan 31 March 2025, 07:25

@Daniel Siara Looks good 👍 Please update issue description.

Daniel Siara 29 March 2025, 11:50

@Krzysztof Bogdan Please let me know if you have any questions to this description, or I am doing anything wrong

Can we detect this upon share render - Yes, we can detect it and change actor.

What was done within this ticket:

  • Added enable/disable button and user picker in project config, to automatically set reserve actor

  • In case of opening share by external link:

    • If current actor has no permission to access Jira instance, we check if reserve actor (one from project config) has permission.

    • If also does not have access, we display the share as if was disabled.

    • If reserve actor has access, we open share as reserve actor (but not change actor permanently in the db, should we?)

    • Logic of checking if actor has access to Jira instance:

  • In case of user API calls :

    • The situation looks similar to the above, except that if the user does not have access to the Jira instance then 401 UNAUTHORIZED is returned.

How that can be tested?- Just by giving/removing access to user account to Jira instance and trying to open share in normal way or API call.

Due to my research, there are three cases if user has no access to Jira instance:

  • User access is suspended

  • User account status is active, but does not belong to group membership

  • User’s account is deleted

Krzysztof Bogdan 28 March 2025, 13:10

@Daniel Siara Please review ticket description:


Please specify what was done within this ticket. How it works. When/what we do at what point.
How that can be tested.

Daniel Siara 28 March 2025, 08:24

@Krzysztof Bogdan Which questions are still open?

  • We can detect lost-access situation before share render and substitute to “reserve actor“ (opening share using external link / API call)\

  • There are 3 cases of losing access to Jira:

    • Admin removed user’s Group membership/ Product access

    • User has suspended access

    • User’s account was deleted

The easiest way to find out if user has access to Jira instance is to do some simple api call by this user (getPriorities or some other basic api call) and catch good error.

Do you have any other cases about this task?

Krzysztof Bogdan 27 March 2025, 15:10

@Daniel Siara What should I review?

There are still open questions in issue description.

Can you elaborate what you want me to review?

Automation for Jira 27 March 2025, 09:52

Hello @Krzysztof Bogdan,
Task is ready for review.

@Daniel Siara please make sure reviewer
have easy access to contend to be reviewed.

If this is code change. Please make sure PR is created.
If this is new documentation, blogpost, etc. Please provide link to page.

Review

Details

Priority

Priority: MediumMedium

More fields

Created: 22 August 2023, 12:00 Updated: 28 April 2025, 17:11