Remove the Everyone share option from filters in Jira Data Center
Platform Notice: Data Center Only - This article only applies to Atlassian products on the Data Center platform.
Note that this KB was created for the Data Center version of the product. Data Center KBs for non-Data-Center-specific features may also work for Server versions of the product, however they have not been tested. Support for Server* products ended on February 15th 2024. If you are running a Server product, you can visit the Atlassian Server end of support announcement to review your migration options.
*Except Fisheye and Crucible
Summary
Prior to Jira 7.2.2, JIRA Administrators do not wish to allow filters to be shared with 'Everyone', as it makes them visible to anonymous (unauthenticated) users. This is due to the fact that you can't disable anonymous access to general pages in JIRA globally.
This behaviour is changed after the implementation of JRASERVER-23255 - Shared filters are visible to anonymous users when shared with 'Everyone' whereby JIRA administrators can now disable the ability to share dashboards and filters publicly (anonymous users) via a new global setting "Public sharing". Please read the description of the Suggestion ticket for more information on this change.
This article is a collection of workarounds that you can use to exclude the sharing of filters with anonymous users in Jira versions prior to 7.2.2. Some of these methods may still work in versions greater than 7.2.2 so you can continue using them, though we recommend just disabling the Public sharing (or equivalent) permission of your Jira application instead.
Solution
There are two possible solutions. They can be used individually or together if both outcomes are required:
a)Remove the option from the drop-down select list
With this solution, the options left for sharing a filter are with a group or project role that the user is a member of. See more details on Sharing a Filter.
b)Restrict access to the page URL for managing filters to only allow authenticated users access.
If an anonymous user attempts to access the page, they will be redirected to the login page.
You may also be interested on this related article:
How to bulk restrict Filters and Dashboards shared with anyone on the web or logged-in users in Jira
The alternatives presented here are considered customizations and are unsupported by Atlassian — only presented AS-IS for Admins to evaluate, assess the tradeoffs, and implement at their own risk.
You may learn more about the tradeoffs and caveats of such customizations in How to customize Jira with JavaScript and CSS.
The content on this page includes steps to customize or extend Atlassian software (adding/changing CSS rules, HTML, JavaScript, etc.). Per the Atlassian Support Offerings, support does not include customizations made to Atlassian products. Be aware that this material is provided for your information only and using it is done so at your risk.
If you have any questions about this or any customization, please ask the community at Atlassian Community or consider working with an Atlassian Solution Partner.
Option A: Remove 'Everyone' option from list
To hide the option 'Everyone' from the list you can either use JavaScript to remove the 'Everyone' option during page load or by modifying the view template file.
⚠️ Please note that either of these methods only hides the option from being displayed in the UI, not the functionality itself. It is still possible to send requests that will share filters with 'Everyone', but it requires more technical expertise than simply using the browser.
Using JavaScript in the Announcement Banner
This solution has been tested on JIRA 7.1.4, and Jira 8.5.0
Add the following JavaScript to the Announcement BannerNOTE: This will remove the option from filters AND dashboards.
<script type='text/javascript'> AJS.toInit(function() { var urlPath = $(location).attr('pathname'); console.log(urlPath); if (urlPath.toLowerCase().indexOf("editportalpage") >= 0 || urlPath.toLowerCase().indexOf("editfilter") >= 0 || urlPath.toLowerCase().indexOf("addportalpage") >= 0) { AJS.$("#share_type_selector_viewers option[value='global']").remove(); AJS.$("#share_type_selector option[value='global']").remove(); } }); </script>
Using CSS in the Announcement Banner
An alternative method is to rely on CSS instead of Javascript. This will work regardless of race-conditions on the browser page load but is more sensitive to version updates. These have been validated on Jira 9.4 and 9.11.
They are described in these two Issues:
JRASERVER-65962 - Option to disable "Any logged in user" permission
<!-- Custom CSS to hide the "Logged in users" option when sharing Filters and Dashboards (JRASERVER-65962) -->
<style>
#share_type_selector_viewers > option[value="loggedin"] {
display: none !important;
}
</style><!-- Custom CSS to hide the "Shared" option on Users profile (JRASERVER-69095) -->
<style>
#update-user-preferences #update-user-preferences-sharing option:nth-child(1) {
display: none !important;
}
</style>Option B: Restrict access to view shared filters for authenticated users only
ℹ️ This solution has been tested on Jira 7.1.4.
Shutdown Jira
Edit the actions.xml located in the JIRA-INSTALL
/atlassian-jira/WEB-INF/classesdirectory.Modify the file from:
<!-- Filter actions -->
<action name="filter.ManageFilters" alias="ManageFilters">
<view name="success">/secure/views/filter/managefilters.jsp</view>
<view name="contentonly">/secure/views/filter/managefilters-content.jsp</view>
<view name="securitybreach">/secure/views/securitybreach.jsp</view>
<view name="error">/secure/views/filter/managefilters.jsp</view>
</action>To:
<!-- Filter actions -->
<action name="filter.ManageFilters" alias="ManageFilters" roles-required="use">
<view name="success">/secure/views/filter/managefilters.jsp</view>
<view name="contentonly">/secure/views/filter/managefilters-content.jsp</view>
<view name="securitybreach">/secure/views/securitybreach.jsp</view>
<view name="error">/secure/views/filter/managefilters.jsp</view>
</action>4. Restart Jira.
Was this helpful?