Details
-
Suggestion
-
Resolution: Unresolved
-
None
-
0
-
2
-
Description
NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion.
Context
When using JQL with auto-complete switched on, searching for fields will always list global values. For instance, when using the IN operator in JQL, auto-complete will "give away" values for the majority of fields. Given that for each individual project there are schemes restricting or limiting the available fields, only context-specific values should be accessible for the user.
The current behaviour seems to be potentially problematic with regard to usability or security concerns.
Objective
As a user, I want the auto-complete function to only present field values relevant for my context.
With "my context" meaning:
- Projects, I have permission to browse; or
- Values for fields that are configured/enabled via a scheme configuration for that project.
In other words: the behaviour and underlying logic of JIRA's JQL search capabilities should respect project configuration and permissions to not reveal global field values.
Steps to reproduce
- Create a user that has access only to one particular project.
- Configure the project in the following way:
- A basic workflow (eg. only with three statuses TODO, DOING, DONE).
- No Custom Fields used on any screen or any scheme;
- In JIRA, browse to "Search for issues" in Advanced mode and try the following:
- status IN (
-> Auto-complete will display a preview of all existing statuses (in addition to our three). - project IN ("My Project") AND
-> A preview of globally existing custom fields will be displayed.
- status IN (
Other fields which are affected by the described behaviour as well are:
- Issue Type
- Status
- Assignee
- Resolution
- Component
- FixVersion
- Custom Fields
Footnote
- The search for projects does respect the configuration. As a user, auto-complete only displays a list of projects I am authorised to browse:
project IN (
Attachments
Issue Links
- relates to
-
- Closed
