Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Low
Fix Version/s: 8.4.2, 8.5.0
Affects Version/s: 7.5.2, 7.0.0, 7.9.0, 7.6.14, 8.4.0, 7.13.6, 8.3.3
Component/s: Java API
Labels:
None

Fixed in Long Term Support Release/s:

Download 8.5
Introduced in Version:
7
Support reference count:
2
Symptom Severity:
Severity 3 - Minor
UIS:
1
Bug Fix Policy:
View Atlassian Server bug fix policy

Description

Method AssigneeSystemField#validateParams is used to validate Assignee for multiple IssueService methods e.g.:

validateAssign
validateUpdate

It's supposed to get ApplicationUser user from these methods for validation (checking Assign Issues permission in particular). However, currently it doesn't and checks the permission against the current logged-in user instead:

hasPermission(ProjectPermissions.ASSIGN_ISSUES, issue, getAuthenticationContext().getLoggedInUser())

This is a bug in which:

The current logged-in user may be anyone and the validation may pass in an unexpected way if this user has Assign Issues permission
In case this user doesn't have the permission, this error is thrown regardless:
```
You do not have permission to assign issues.
```

Attachments

Issue Links

causes

JRASERVER-42609 Assignee permission check during IssueService validateUpdate uses the JIRA authentication context user not the supplied user

Closed

relates to: MNSTR-3208 Loading...

Activity

People

Assignee:: Daniel Rauf

Reporter:: Andy Nguyen (Inactive)

Votes:: 4 Vote for this issue

Watchers:: 9 Start watching this issue

Dates

Created:: 20/Apr/2018 7:32 AM

Updated:: 22/May/2020 8:25 AM

Resolved:: 02/Oct/2019 6:29 PM