[JRASERVER-26659] Group Custom Field Value in the "Create Issue" project permission allows any user to create issues on a given project

Type: Bug
Resolution: Not a bug
Priority: Low (View bug fix roadmap)
Fix Version/s: None
Affects Version/s: 4.2.4
Component/s: None
Labels:
- affects-server

Introduced in Version:
4.02
Bug Fix Policy:
View Atlassian Server bug fix policy

When using the Group Custom Field Value on the "Create Issue" project permission, any user in JIRA is able to create issues on the project.

Steps to reproduce:

Create a Group Picker custom field (Global Context) (Administration> Issue Fields > Custom Fields) - let's say Test Group Picket Custom Field
- OPTIONAL Set a default value for the custom field
Go to the Default permission scheme and Add to the "Create Issue" Permission the option Group Custom Field Value
Go to the Default permission scheme and Add to the "Create Issue" Permission the option Group and choose group jira-administrators
Create a user and add it only to the jira-users group.
Create a project and associate it to the Default permission scheme
Log in JIRA with the user you just created
The user will be able to create issues on the project you just created project.

- If you remove the Group Custom Field Value from the "Create Issue" permission, the user is no longer able to create issues on the project.

relates to

JRASERVER-30783 Unexpected behaviour in Create Issue Permission with User custom field

Closed

Maksims Andersons added a comment - 21/Feb/2023 9:51 AM

Also need to check
System - Global Permissions
Permission: Browse Users
(Ability to select a user or group from a popup window as well as the ability to use the 'share' issues feature. Users with this permission will also be able to see names of all users and groups in the system.)
You should add user-group which members you want to see in custom field User Picker (single user)

Maksims Andersons added a comment - 21/Feb/2023 9:51 AM Also need to check System - Global Permissions Permission: Browse Users (Ability to select a user or group from a popup window as well as the ability to use the 'share' issues feature. Users with this permission will also be able to see names of all users and groups in the system.) You should add user-group which members you want to see in custom field User Picker (single user)

Anja Spörl added a comment - 30/Jun/2020 10:48 AM

It is the same behaviour for the browse project permission.

As soon as I set the custom user-field, all users can browse all projects that are assinged to this permission scheme. This is a bit annoying, because I would like to prevent user from seeing projects they are not part of but might be selected in a custom user field (and by that get access to the issue via security level)

Is there a chance somebody will have a look at this?

Anja Spörl added a comment - 30/Jun/2020 10:48 AM It is the same behaviour for the browse project permission. As soon as I set the custom user-field, all users can browse all projects that are assinged to this permission scheme. This is a bit annoying, because I would like to prevent user from seeing projects they are not part of but might be selected in a custom user field (and by that get access to the issue via security level) Is there a chance somebody will have a look at this?

MattS added a comment - 27/May/2013 9:59 PM

Apparently it does, and the same for User Picker fields too.

MattS added a comment - 27/May/2013 9:59 PM Apparently it does, and the same for User Picker fields too.

MattS added a comment - 07/Sep/2012 10:44 PM

An empty group custom field surely can't mean that anyone can do something. It should mean that the permission was not changed, right?

MattS added a comment - 07/Sep/2012 10:44 PM An empty group custom field surely can't mean that anyone can do something. It should mean that the permission was not changed, right?

metapoint added a comment - 04/Jan/2012 12:12 AM

So you have given two different groups permission to create an issue in that project. the jira-adminstrators group and the group of people defined be the Group Picker custom field, since that is null, it means everybody can create issues.

metapoint added a comment - 04/Jan/2012 12:12 AM So you have given two different groups permission to create an issue in that project. the jira-adminstrators group and the group of people defined be the Group Picker custom field, since that is null, it means everybody can create issues.

Assignee:: Unassigned

Reporter:: Clarissa Gauterio (Inactive)

Affected customers:: 0 This affects my team

Watchers:: 7 Start watching this issue

Created:: 26/Dec/2011 8:03 PM

Updated:: 21/Feb/2023 9:51 AM

Resolved:: 04/Jan/2012 12:12 AM

Details

Description

Attachments

Issue Links

Forms

Activity

Collapse comment: Maksims Andersons added a comment - 21/Feb/2023 9:51 AM

Expand comment: Maksims Andersons added a comment - 21/Feb/2023 9:51 AM

Collapse comment: Anja Spörl added a comment - 30/Jun/2020 10:48 AM

Expand comment: Anja Spörl added a comment - 30/Jun/2020 10:48 AM

Collapse comment: MattS added a comment - 27/May/2013 9:59 PM

Expand comment: MattS added a comment - 27/May/2013 9:59 PM

Collapse comment: MattS added a comment - 07/Sep/2012 10:44 PM

Expand comment: MattS added a comment - 07/Sep/2012 10:44 PM

Collapse comment: metapoint added a comment - 04/Jan/2012 12:12 AM

Expand comment: metapoint added a comment - 04/Jan/2012 12:12 AM

People

Dates