New and Improved 3.13 Beta. Highlights: Shareable filters and dashboards and lots of other goodies. Any feedback can be raised as JIRA issues in the JIRA project.
Issue Details (XML | Word | Printable)

Key: JRA-10308
Type: Bug Bug
Status: Resolved Resolved
Resolution: Fixed
Priority: Major Major
Assignee: Jed Wesley-Smith [Atlassian]
Reporter: Emilio Moreno
Votes: 0
Watchers: 0
Operations

If you were logged in you would be able to see more operations.
JIRA

Giving Manage Watchers Permission to Reporter or Current Assignee allows anyone who can view the watchers list to edit it

Created: 30/May/06 11:27 AM   Updated: 31/Jul/06 12:03 AM
Component/s: Permissions Security
Affects Version/s: 3.6.2
Fix Version/s: 3.6.4

Time Tracking:
Not Specified

Environment: RHEL update 3, Mysql4, Apache and 3.6.2 Enterprise.
Issue Links:
Cloners
 

Participants: Anton Mazkovoi [Atlassian], Emilio Moreno and Jed Wesley-Smith [Atlassian]
Since last comment: 2 years, 4 weeks, 3 days ago
Resolution Date: 31/Jul/06 12:03 AM
Labels:


 Description  « Hide
Hi, this issue (see original one) is happening again in 3.6.2; when you grant Manage Watcher List permission to "Reporter", everyone in the jira-users group can modify the watcher list of all the tasks in the system

 All   Comments   Work Log   Change History      Sort Order: Ascending order - Click to sort in descending order
[ Permlink | « Hide ]
Anton Mazkovoi [Atlassian] added a comment - 30/May/06 04:26 PM
The problem is that the permission checks in ManageWatchers WebWork action are done with Project object (i.e. GenericValue) instead of Issue.

So if the user has the View Watchers permission, they will get the link on the View Issue page. The check for manage Watcher list will return true for anyone if the permission has been given to Reporter and/or Current Assignee.


[ Permlink | « Hide ]
Anton Mazkovoi [Atlassian] added a comment - 30/May/06 04:38 PM
Emilio,

Is the View Watchers and Votes permission given to jira-users group in your system?

Thanks,
Anton


[ Permlink | « Hide ]
Emilio Moreno added a comment - 31/May/06 07:49 AM
Yes, it is. Do you want me to do tests removing it?

[ Permlink | « Hide ]
Anton Mazkovoi [Atlassian] added a comment - 31/May/06 03:17 PM
Hi Emillio,

I think if you remove this permission, the link to the page that lists issue's watchers will disappear. However, this will mean that your JIRA users will not be able to see the issue's watchers.


[ Permlink | « Hide ]
Jed Wesley-Smith [Atlassian] added a comment - 31/Jul/06 12:03 AM
the ManageWatcher page was passing the Project rather than the Issue for permission checks. Now uses the Issue and works correctly.


Powered by Atlassian JIRA the Professional Issue Tracker. (Enterprise Edition, Version: 3.13_beta1-#328) - Bug/feature request - Atlassian news - Contact Administrators