-
Type:
Bug
-
Resolution: Unresolved
-
Priority:
Low
-
Component/s: Projects
-
None
-
Minor
Issue Summary
View-only members of private Projects are currently able to remove linked Jira work items from the Project, even though they don't have access to the Jira work item itself.
Project-level view-only access should prevent any modification to the linked items, regardless of the user’s access (or lack of access) to the underlying Jira work Items.
Currently, a view-only member:
- Cannot link a Jira work item to a project
- Cannot remove a linked Jira work item if they have access to the Jira work item
- Can remove it if they don't have access to it
Steps to Reproduce
- Create a private Project.
- Add User A as a view-only member of this Project.
- Identify a Jira work item that User A doesn't have permission to access.
- As a Project member/admin with edit permissions and with access to that Jira work item, link the Jira work item to the Project.
- Log in as User A
- Open the Project and navigate to the linked items section.
- The linked Jira work item isn’t visible, and the following message is displayed: “We couldn't find the linked Jira work item. It may have been removed, or you may not be able to view it.” However, the option to remove the item is still available.
- Attempt to remove the linked Jira work item from the Project.
Expected Results
A view-only member of a private Project should not be able to remove linked Jira work items from the Project.
Actual Results
The member is able to successfully remove the linked Jira work item from the Project.
Workaround
Currently, there is no known workaround for this behaviour. A workaround will be added here when available