Didn't log this as a bug, but some might consider it as such. We gave some external users read-only perms to our JIRA (like jira-users). Discovered shortly thereafter that they were able to transition issues through their workflows. After going through the docs, we began to worry that the only way to prevent this was to put conditions on all of the workflow steps (we have quite a few custom workflows). We confirmed this after talking to support.

This is onerous in our particular case, as we now need to go thru the process of manually updating all of our workflows to preclude this from happening. However, we think it illustrates an omission in the permission model. We understand that from a technical perspective workflows are managed separately via OSWorkflow. However, from a user/admin use case standpoint. A 'read-only' issue should be just that and there should be a more global way to enforce this (i.e. a "Transition Issues" permission), as saying that 'read-only' users can't do this on every transition step is redundant. The workflow conditions are more appropriate for 'fine-grained' checks like only 'testing' can move through this particular transition.