Uploaded image for project: 'Jira Align'
  1. Jira Align
  2. JIRAALIGN-3814

STORY MAPS - Save disabled, non-Portfolio/Program user can assign Stories into a Feature belonging to another Portfolio/Program

XMLWordPrintable

      Issue Summary

      Story Maps allows a user who has no access to Portfolio A, Program A, Agile Team A to change the parent Feature of Stories belonging to Portfolio A, Program A, Agile Team A
      This is even with Story Maps Save permissions set to DISABLED.

      Steps to Reproduce

      Permissions for User B.

      Program > Track > Story Maps ENABLED
      Program > Track > Story Maps > Save DISABLED
      Program > Features ENABLED
      Program > Features > Child permissions all DISABLED

      Conditions:

      • User B does not have membership/access to Portfolio A or child Program A or child Agile team A - all under portfolio A.
      • User B is a Member of Portfolio B, child Program B and Agile Team B, all under portfolio B.
      • Story Map A for Stories in Portfolio A is already created (by another user, eg User A).

      Steps

      1. Login as User B
      2. StoryMapGrid.asp displays all StoryMaps regardless of settings of top tier configuration bar or team permissions for Portfolios/Programs/AgileTeams
      3. Story Map A is visible, so click on the map icon
        (Note that clicking on the name of the Story Map opens a Details Panel but "spins" and throws up a 403 unauthorised error on EditStoryMapSetup.asp)
      4. ViewStoryMap.asp shows the Stories belonging to Portfolio A (regardless of settings of top tier configuration bar or team permissions for Portfolios/Programs/AgileTeams)
      5. User B can click on "Group Into Feature"
      6. User B can select Stories belonging to Portfolio A
      7. Click on Create Feature
      8.  Add New Feature From Story Map window appears
      9.  Fille in the Name & Description
      10.  Program choices are only Programs that User B has access to, eg Program B
      11.  Program Increment choice is only what User B has access to
      12.  Click Save

      Expected Results

      User B should not be able to view or edit Story Map A.
      User B should not be able to change the parent Feature of Stories belonging to Portfolio A

       

      Actual Results

      Stories from Portfolio A/Program A are saved as children of a new Feature in Portfolio B.
      Even though the user who took the actions has no access to Portfolio A/Program A, according to team membership permissions.

      Workaround

      None.

        1. image-2021-12-06-11-41-24-832.png
          image-2021-12-06-11-41-24-832.png
          93 kB
        2. image-2021-12-02-17-53-05-770.png
          image-2021-12-02-17-53-05-770.png
          58 kB
        3. image-2021-12-02-17-52-09-117.png
          image-2021-12-02-17-52-09-117.png
          56 kB

              4f593be5d819 Anna Eshlin De Kassal (Inactive)
              81fb6d9e7236 Heidi Hendry (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: