Avinash Jain, a Infrastructure Security Engineer, published an article on August 2, exposing JIRA, a widely used issue-tracking software worldwide. It is stated in his article that the loophole in JIRA has caused thousands of companies, including NASA, Google, Yahoo to Go-Jek, HipChat, Zendesk, to leak internal employees and project data. Jain also provides a way to find out what the vulnerabilities in JIRA are.
The leak is caused by the misconfiguration of user privileges, and such in Jira. It also has something to do with Anonymous Login the Anyone user group. Although Anonymous Login is also supported in ZenTao, it is strictly managed by ZenTao Administrators.You can find the comparison of permissions between JIRA and ZenTao HERE.
Limited Users and Limited Actions
ZenTao standalone privileges are the privileges of actions and users that are set separately in ZenTao. Limited User is a privilege group that is used to manage newcomers who might make mistakes and cause problems to the team because they are not familiar with how it works in the ZenTao. For limited users in ZenTao, they can only edit the content that is relevant to themselves, such as Tasks, Stories, and Bugs, and they cannot add them. They can edit the content that is about AssignedTo, Done, Closed, Cancelled, or Last Edited.
Limited User is also added in Project->Team->Manage Team to limit a user in a project. If a use is the Limited User in a project, s/he can only edit tasks, stories and bugs that are related to him/her in the project.
Note1. Company->Privilege->Limited User. The privilege settings applies for the whole system.
2. Project->Team->Manage Team. Limited User only applied in the project, and other projects is not applied.
3. If a user is added to the Limited User group, s/he will still have the privilege to edit the content the user created before, such as stories, task, and bugs.
If you still have questions about how to set privileges in ZenTao, check Groups and Privileges in ZenTao Manual or