parent
ef14d419ab
commit
08a6342a99
|
@ -23,6 +23,15 @@ Inside a Jira instance **any user** (even **non-authenticated**) can **check its
|
||||||
If a **non-authenticated** user have any **privilege**, this is a **vulnerability** (bounty?).\
|
If a **non-authenticated** user have any **privilege**, this is a **vulnerability** (bounty?).\
|
||||||
If an **authenticated** user have any **unexpected privilege**, this a a **vuln**.
|
If an **authenticated** user have any **unexpected privilege**, this a a **vuln**.
|
||||||
|
|
||||||
|
Update: As of 18th September 2023 - the 'mypermissions' endpoint requires a 'permission' parameter with one of the following parameters
|
||||||
|
[https://developer.atlassian.com/cloud/jira/platform/change-notice-get-my-permissions-requires-permissions-query-parameter/#change-notice---get-my-permissions-resource-will-require-a-permissions-query-parameter](https://developer.atlassian.com/cloud/jira/platform/change-notice-get-my-permissions-requires-permissions-query-parameter/#change-notice---get-my-permissions-resource-will-require-a-permissions-query-parameter)
|
||||||
|
- BROWSE_PROJECTS
|
||||||
|
- CREATE_ISSUES
|
||||||
|
- ADMINISTER_PROJECTS
|
||||||
|
|
||||||
|
Example: `https://your-domain.atlassian.net/rest/api/2/mypermissions?permissions=BROWSE_PROJECTS,CREATE_ISSUES,ADMINISTER_PROJECTS`
|
||||||
|
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
#Check non-authenticated privileges
|
#Check non-authenticated privileges
|
||||||
curl https://jira.some.example.com/rest/api/2/mypermissions | jq | grep -iB6 '"havePermission": true'
|
curl https://jira.some.example.com/rest/api/2/mypermissions | jq | grep -iB6 '"havePermission": true'
|
||||||
|
|
Loading…
Reference in New Issue