-
Bug
-
Resolution: Fixed
-
High
-
10.119.3
-
1
-
Severity 2 - Major
-
No
Issue Summary
Objectives that the user doesn't have access to due to their team/portfolio membership, can still be accessed and modified via direct URL link to Objectives grid with the details panel.
This behaviour is inconsistent from other work items, for example when trying to access Features directly that we don't have access too, we get a message saying that we don't have permissions or item doesn't exist.
There's no such message for Objectives and users can freely modify them.
Steps to Reproduce
- Log in as a non-admin user, have system role permissions on for Objectives (Portfolio, Program, Team, Solution levels) including save/modify
- Assign this user to a Portfolio team
- This Portfolio should have NO objectives created in it
- Check the Objectives grid without any filters to make sure the user can't see any objectives that we are going to try to access in step 4
- Pick an objective ID for an objective that the user can't access
- Go to <yourJAsite>/MilestoneGrid?FirstTime=True&Inf=1&MilestoneID=<yourObjectiveID>
- Observe that the objective details panel opened and can be modified
Expected Results
Since the user can't access the objectives through Objective grid or global search, it's expected they'll get an error when trying to access it by URL, just like they would for other work items like Features or Stories.
Actual Results
Objectives that the user can't usually access, can be accessed and modified via direct link.
Workaround
Currently, there is no known workaround for this behavior. A workaround will be added here when available.
- is related to
-
PS-131273 Loading...