Uploaded image for project: 'Jira Align'
  1. Jira Align
  2. JIRAALIGN-1235

[JIRAALIGN-1235] Admin -> Portfolio view does not restrict the list of portfolios per the logged in user

XMLWordPrintable

    • 2
    • Severity 1 - Critical
    • Avengers - RHP8, Stubborn Dragons - RHP9, Stubborn Dragons - SCORP1

      Issue Summary

      In https://jira.atlassian.com/browse/JIRAALIGN-1132 we implemented a fix in 10.66 that would allow a user to filter out portfolios in Administration -> Portfolio based on the Tier 1 setting.

      The intent, however, of the bug report was not only to implement filtering but to also restrict users from being able to see and manage Portfolios that they did not have access to.

      This security restriction is what is missing from what we delivered in JIRAALIGN-1132.

      Steps to Reproduce

      1. login as a non Super Admin user
      2. Reset the Tier 1 filter (configuration bar) with no portfolios selected
      3. Navigate to Admin -> Portfolio

      Expected Results

      User should be prohibited from viewing and editing any Portfolios that they do not have access to. In other words, they should see either a restricted list of Portfolios or no Portfolios at all.

      Actual Results

      4. User is able to view and edit all portfolios.

      Workaround

      Currently there is no known workaround for this behavior. A workaround will be added here when available

              cgottlieb@atlassian.com Caz (Inactive)
              kbaxley Kent Baxley
              Votes:
              2 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: