Details
-
Bug
-
Resolution: Unresolved
-
Low
-
None
-
9.11.0, 9.12.7, 9.15.1
-
9.11
-
1
-
Severity 3 - Minor
-
Description
Issue Summary
When the project administrator tries to create a new issue collector at Project settings > Issue collectors, a confusing error will be returned by the browser in case user doesn't have Modify Reporter permission.
It is expected that users with such permission configuration would not be able to interact with the "Reporter" user picker. The defect is reported in order to improve error-handling behaviour.
Steps to Reproduce
- Access project settings under an account with Administer Projects but without Modify Reporter
- Try to search for a user account in the "Reporter" field. A native browser pop-up window with "You are not authorized to perform this operation. Please log in" error will be triggered.
Expected Results
It is expected that users with such permission configuration would not be able to interact with the "Reporter" user picker. However, from user experience perspective it would be better to handle the HTTP 401 error and report it in a more meaningful/clear way instead of a browser pop-up error.
Actual Results
Attempt to interact with the "Reporter" user picker field fails with HTTP 401 "Not Authorized" error for <base_url>/rest/internal/2/users/reporter?maxResults=100&projectKeys=<project>&query= request. That leads to a confusing browser pop-up error.
Workaround
Since 9.11 it is required that user needs to have the Modify Reporter and Browse projects permissions in order to interact with the "Reporter" field.
The most straightforward solution to prevent this pop-up error would be to grant the project administrator Modify Reporter permission.
In case this is not possible/not desired, you could disable com.atlassian.jira.ignoreBrowseUsersPermissionsInUserPickers feature flag, which will revert permission checker logic to the pre-9.11 version state (please refer to Jira Software 9.11.x release notes - Project permissions get extended configuration for additional details).