|
Yes it is a similar problem.
Our desired behaviour is that if the "Current Assignee" is used in the Browse premission then a user can see a project if there is an issue currently assigned to them in that project. However, if they don't have any issues assigned to them then they don't see the project in any project list. (Of course, if a particular user has access via another Browse permission then they would see the project regardless) What if the only issues that are assigned to someone are all closed? Would you still want that user to be able to browse the project? I would think they would be able to, based on what you described above.
Erik,
The problem here is perfomance. To implement this feature properly, we need an efficient way to determine whether the user has issues assigned to them or not. Performing a search for each permission check will cause the system to slow down significantly,especially since permission checks are performed constantly. A workaround that we gave the users for That way only users who could have issues assigned to them will be able to see the project, even if they do not have issues assigned to them at the moment. Will this be acceptable for now? Cheers, Mark C Erik,
You will need to copy the file CurrentAssigneeHasAssignablePermission <type id="assigneeassignable" enterprise="true"> <class>com.atlassian.jira.security.type.CurrentAssigneeHasAssignablePermission</class> </type> You can now choose a "special" permission type that will hide the projects if you don't have ASSIGNABLE permission. Let us know how you go with this. Cheers Mark C Erik,
That's no worries, I'll resolve this issue for now (we're trying to clear out 3.5 issues). I've tested it locally and it seems to work as stated fine. Feel free to reopen the issue if you have problems with it once you get a chance to patch it. Cheers, Mark C Erik,
Apologies for the oversight! The actual title should be "Assignee (show only projects with assignable permission)". The process is slightly complicated if you want to change this in your installtion. You'll need to unzip the jar language_default.jar, find the file JiraWebActionSupport.properties and add the line below to it. admin.permission.types.current.assignee.has.assignable.perm = Assignee (show only projects with assignable permission) You should then rezip the JAR and replace the old language_default.jar with the new one. The somewhat complex process is to due the fact that JIRA can be internaltionalised into other languages. The name is unimportant other than for administrative purposes, so if you don't want to go through the trouble of uodating the properties file, you don't have to. It will be fixed in JIRA 3.5 Cheers, Mark C I'm interested in both the "current user has assignable" and "current user has create issue" permissions, but I'm concerned about maintenance. We're running 3.5.1 Enterprise, and it seems we have to uncomment these permissions from the permission-types.xml file. When we upgrade, won't we have to do that again?
Forgetting the current implementation, what I'd like to see as a customer is a General Configuration setting called "Advanced Permissions" or something. If we set that to on, then these more granular permissions become available. Then, when we upgrade, the configuration setting follows us. Please advise if I am correct in that upgrading means changing the .xml file again. Thanks. Hi David,
You are correct, you will need to uncomment out these options in the xml file every time you upgrade. I think the idea of "Advanced Permissions" is certainly broader than this issue and if you would like I think the best thing to do is open a new feature request to deal with the idea. Thanks, |
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
 |
|
Bug
Resolved
Critical
"Current Assignee" on Browse Permission creates security hole
JRA-4935I believe.