Jira notifications (batched and non-batched) not sent anymore to users who don't have application access after Jira upgrade to 8.19.0+
Platform Notice: Data Center Only - This article only applies to Atlassian apps on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
After upgrading Jira to 8.19.0 (or any higher version), Jira users who don't have application access no longer receive Jira notifications related to issue updates that they are involved in (by being the reporter, assignee, watcher, component leader, ...).
Environment
The following Jira versions are impacted:
Any 8.19.x version
The versions 8.20.0 to 8.20.5 included
Any 8.21.x version
The version 8.22.0
Note: this behavior only impacts Jira notifications (batched and non-batched), not to be confused with customer notifications from Jira Service Management projects.
Diagnosis
The issue occurs:
after upgrading to Jira 8.19.0 or any higher version (or in a fresh Jira 8.19.0+ instance)
with any type of project (Core, Software, Service Management)
whether the batched notifications are disabled or enabled
The issue only impacts Jira users who don't have Jira application access (via a Jira license)
For the impacted user who is not receiving Jira notifications:
The permission helper (accessible from ⚙ > System > Permission helper) is showing that the user has the permission to access the issue (via the Browse Project permission)
The notification helper (accessible from ⚙ > System > Notification helper) is showing that the user is eligible to receive a notification (due to how the notification scheme is configured for the project)
Cause
There was a change introduced in Jira 8.19.0 which impacts the way Jira notifications are sent, due to the vulnerability bug tracked in https://jira.atlassian.com/browse/JRASERVER-72737
Up to Jira 8.18.x, Jira users did not need to have Jira application access to receive Jira notifications from an issue, as long as this user verified the 2 following conditions:
had access to the Jira issue
was eligible to receive a notification from this issue for specific events, as per the notification scheme configuration
Since this behavior was recently considered as a vulnerability issue, there is now a 3rd condition which is necessary for Jira users to receive notifications: users now need to have Jira application access (via a Jira license).
ℹ️ Notes:
This change only impacts Jira notification sent based upon the notification scheme (upon issue creation, update, comment, etc...).
This change does not impact the way the mention notifications work:
If a user without application access is tagged in a Jira comment, this user might or might receive the notifications depending on various parameters such as the type of project, and whether Jira notification batching is enabled or not
Please refer to the bug https://jira.atlassian.com/browse/JRASERVER-77638 for the inconsistencies around how the mention notifications are sent or not sent to unlicensed users
Solution
Solution 1
Grant application access to the impacted users, by adding them to a group which is configured to provide application access, per Manage group access to applications.
Solution 2
Upgrade the Jira application to 8.20.6 (or any higher version within 8.20.x), or 8.22.1 (or any version above this one), and enable the Dark Feature Flag below:
com.atlassian.jira.send.email.notifications.to.user.without.application.access.enabled⚠️ Note that theJira versions 8.21.x do not contain this dark feature, so if you are using Jira 8.21.x, you will need to upgrade to 8.22.1 or any higher version.
Related
Was this helpful?