/
How to verify comment visibility applies

How to verify comment visibility applies

Owned by Fernando Boucquez (PPL) (Deactivated)
Last updated: Mar 24, 2025 by Denny Miller
3 min read

 

 

During notification, JEMHCloud renders templates differently depending on the recipient users, for example due to security. Private/restricted comments should only be sent to users that are allowed to see it, so if the recipient is an email only user, a restricted comment shouldn't rendered/sent. Similarly, if the recipient is a Jira user without the required role or doesn't belong to the required group.  Notifications are sent or not according to the information displayed. Some emails could be empty if no comment (e.g restricted) or change is displayed. In this case, the notification is not sent.

This guide will show you how to verify the content of an email depending on the issue's event and the recipient. 

Step-by-step guide

  1. Create a private comment in an issue.  Note that project must have an issue notification mapping associated (Notifications->Notification Mappings->Issue)

  2. Create a Preview Context from the Web-Hook event JIRA generates




    The comment on the event is internal as it includes something like:

    "body": "This comment can only be seen by admins", "jsdPublic": false, "created": "2023-04-06T16:48:49.812+0100", "updated": "2023-04-06T16:48:49.812+0100"

  3. Go to Notifications > Preview.  Select the used Issue Updated Template and the preview context you've just created

  4. Leave Recipient blank to test how the email looks like if it is sent to an email only user. Hit Preview.

  5. The error identifies that the comment has been excluded and that the generated email is empty so the notification wouldn't be sent.  The Email is empty as the event contains one comment that email-only users are not allowed to read.  If you repeat the test changing the recipient to an administrator, Email content should be displayed:

     

This same strategy (create/update/comment issue, create preview context and preview templates) can be used to troubleshooting multiple email notification problems.

 

Limitations of retrieving restricted visibility comments

System default notifications relying on the merged comments bundle context ($context.comments) will always contain comments the recipient has the correct visibility to see.

If you are using custom templates with the issue comments bundle ($context.issue.fields.comment.comments), historic issue comments with comment visibility restrictions may not be visible, due to limitations with the Get Issue REST API:

As Jira Software does not have a public/internal concept, all the images are public by design. The restriction is only applied to the comment and as an attachment will be part of the comment the restriction will applied to that specific attachment. So restriction can only be checked on the comment.

This problem is exclusive to Software projects, resulting in restricted visibility comment attachments to not always be available from the Issue. As part of our secure-by-default approach, this results in the restricted visibility comments from not being sent to recipients that should have permission to view the given attachments.

JSM public/internal comment visibility restrictions are retrieved from JSM as expected.

To vote/watch on progress of this issue, please see https://jira.atlassian.com/browse/JSDCLOUD-6582.

 

 

Related articles

Related content