Restrict search from showing all users and groups

Hi, 

from my perspective, the search shows too much information about user data, although the user who searches is not permitted to see these users and groups on other places.

Prerequisite: a user who has no “User” or “Group” permissions assigned to his role. He has access to one project.

Result:

  • User names are not shown in issues, e.g. “Created by Anonymized11” for creator (OK)
  • He cannot mention anyone (OK)
  •  In search, autocomplete for e.g. commenter will show all groups in the system (not OK!). 
    • As this even shows the team names, this will reveal all names of alle projects in the system!

Prerequisite: a user who has user permission "Read User Basic” and no “Group” permissions assigned to his role. He has access to one project.

Result:

  • User names are  shown in issues (OK)
  • He can mention anyone assigned to the project as team member (OK)
  • In search
    • autocomplete for commenter will show all groups in the system (not OK)
    • autocomplete for commenter will show all users in the system (not OK)

This is problem when working with customers and partners in a single Youtrack instance, and different user groups are not allowed to see each other.

Is there any way to prevent this?

Is it possible to completely disable autocomplete for user and group data?

Best regards,

Julian

 

 

 

0
4 comments
Official comment

Hi Julian. Disabling auto-complete is not possible. Overall, this is a known issue that we plan to resolve by implementing organization-scoped access: HUB-11162. This feature is planned to introduce a scope for the Read User… permissions, i.e., someone with that permission in the scope of one organization will not be able to view users outside of that organization anywhere. Feel free to subscribe to this issue by voting or marking it with a star to receive updates.

Hi Stanislav,

I understand, thanks for help. During research, I found https://youtrack.jetbrains.com/issue/JT-29123/Search-will-reveal-all-system-users and I think this would help me a lot. 

Unfortunately, -Djetbrains.youtrack.commands.filterStar=true as jvm start command didn't have the effect I was hoping for. 
Can you see whether this should still work?

Best,

Julian

0

Unfortunately, the information in JT-29123 is quite outdated and isn't relevant to the newer builds. There are no workarounds we can offer here, I'm afraid.

0

Just in case if anybody else is searching for a workaround:

Disable autocomplete in search is possible by blocking the assist endpoint in nginx:

  • location ~* ^/api/search/assist

Best, 

Julian

1

Please sign in to leave a comment.