Issue Summary

Automation rule can send emails to all members of a group independent of the Rule context. It does not check also if the member has permission to the project (Browse Project).

The expectation was that it would respect the Rule's context or follow the same conditions explained in the notification scheme documentation:

• User to have "Browse Project" permission;
• The user should be able to log in.

Security problems:

• An actor (not Jira Admin) most likely will select a group, as it is currently not possible to select a Project Role or an organization;
• The group follows a global context, and the actor may incorrectly select a group with members that should not receive the notification, as they do not have permission for the project.

This is reproducible on Data Center: (yes)

Steps to Reproduce

1. Create Jira Software Project "projectA";
2. Create User "user1" and "Leader1" created as members of the Jira Software Users group;
3. Add the User "user1" and "Leader1" with the role "Administrator" on Project "projectA";
4. Create Group "JiraLeaders";
5. Add "Leader1" as a member of Group "JiraLeaders", but add also some other Jira Software users;
6. Modify the Permission Scheme used by "projectA", giving "Browse Projects" permission to only Jira Administrators and the Users with the project role "Administrator";
7. Create a rule:

• Actor: Select the user "user1";
• Context: For the project "projectA"
• Trigger: whenever a new issue is created (for instance);
• Action: Send an email selecting the group "JiraLeaders" in the "To:" field;

8. Create a new issue

Expected Results

User1 and Leader1 would receive an email from the automation rule

Actual Results

All members of the group "JiraLeaders" receive an email

Workaround

Manually select each user in the "To:"  field, as it is currently not possible to select a Project Role or an organization.