Details
-
Bug
-
Resolution: Fixed
-
High
-
10.70
-
None
-
2
-
Severity 2 - Major
-
X-Men - SCORP6
Description
Issue Summary
With the release of Jira Align 10.70 to test environments, we included the fix to restrict the number of portfolios that a non-super-admin user has access to in the Administration -> Portfolios page:
https://jira.atlassian.com/browse/JIRAALIGN-1235
With the fix in place, non-super-admins roles with permissions to view Administration -> Portfolios should only see the Portfolios that they have access to.
In the case of some customers, however, they tested the fix in their 10.70 environments and discovered that their non-super admin role cannot see any portfolios when navigating to that page, even though that role is included as a "Portfolio Team" member in several portfolios.
Steps to Reproduce
Preconditions
- A non super admin role exists that has "Portfolio" permission enabled under the "6 Administration" heading in Administration -> Roles
- The role also has all toggles enabled under "2 Portfolio" except "connector", "folios", and "work-item" mind map.
- The user account tied to this role is a member of several portfolio teams
- The Feature Toggle for Private Portfolios is enabled.
- The user account is a member of both Private an non-private portfolio teams.
- Log in to Jira Align using an account with a role described in the Preconditions
- Completely reset everything in tier 1 if it is populated
- Navigate to Administration -> Portfolios
Expected Results
The user should be able to see a list of portfolios that they are a member of, regardless of public or private status.
Actual Results
Nothing is listed on the Portfolios page for that user.
John Martin on our dev team was able to reproduce this in a dev environment. Here are his findings:
There's a stored procedure called [RPM_GET_PROGRAM_LIST]
It has a line
Declare @UserUniq VARCHAR = CONVERT(VARCHAR(15), (SELECT TOP 1 Uniq FROM sysmemberpermssion WHERE UID = @UID))
the above is breaking in his environment (if the result is supposed to be user id '2010', this is giving '2' instead of '2010')
If he changes the line to
Declare @UserUniq VARCHAR(15) = CONVERT(VARCHAR(15), (SELECT TOP 1 Uniq FROM sysmemberpermssion WHERE UID = @UID))
...then portfolios, including the private one that the 2010 user belongs to, show up.
Note that it is only returning portfolios where, either:
- the user is a member directly to the portfolio, or
- the portfolio is public and has no programs, or
- the user is a member of a team or program within the portfolio.
In John and the customer's situation, they were not even able to see public portfolios, which doesn't seem like intended behavior. It appears that the declare statement may be truncating the user id so that the incorrect user info is being passed when attempting to access portfolios.
Workaround
Currently there is no known workaround for this behavior. A workaround will be added here when available
Attachments
Issue Links
- is related to
-
ALIGNSP-2167 Loading...
- mentioned in
-
Page Loading...