Uploaded image for project: 'Jira Platform Cloud'
  1. Jira Platform Cloud
  2. JRACLOUD-31720

Grant "Browse Project" permission to "Current Assignee" makes project visible to all users

      NOTE: This bug report is for JIRA Cloud. Using JIRA Server? See the corresponding bug report.

      Status Update

      Hi everyone,

      We have reviewed the status of this issue and there are not currently plans to fix this bug in Jira Cloud. Extensive analysis over the last couple years has indicated that the complexity of addressing this bug without causing performance degradation for customers using permission schemes with user custom field grants is significant. Based on the number of customers that have actually been affected, we cannot justify the effort required to address it at this time.

      Thanks for your understanding.

      Regards,
      Dave Meyer
      Senior Product Manager, Jira Cloud

       

       

      Summary

      1. This bug is related to closed bug ticket https://jira.atlassian.com/browse/JRA-8950
      2. When the Current Assignee is given the Browse Project Permission, other users are able to view this Project.
      3. They can't necessarily view issues or create issues, but they can see the project from the View All Projects page.
      4. They are also able to see the project name at the project filter on the Issue Search navigator but no issues will be displayed. Only the name of the filter at Projects. When trying to search issues from restricted projects it will show "No issues were found to match your search" which is good.

      Steps to Reproduce

      1. ensure to have a jira instance with several projects e.g 'Project A' and 'Project B' - Done
      2. ensure to have at least two different permission schemes e.g. 'Permission Scheme A' and 'Permission Scheme B' - Done
      3. ensure to that e.g. 'Project A' uses the 'Permission Scheme A' and 'Project B' uses the 'Permission Scheme B' - Done
      s1.png

      4. ensure that the 'Browse Project' permission is restricted to the appropriate project roles in each permission scheme e.g. to the project role 'Tester' -Done
      s2.png
      s3.png
      5. ensure that e.g. 'User A' is assigned as 'Tester' to 'Project A' only, while 'User B' is assigned as 'Tester' to 'Project B' - Done
      s5.png
      s6.png

      Expected Results:

      User A is not supposed to be able to see Project B at all.

      Actual Results:

      User A is able to see Project A at various places :
      1. View All Projects
      s7.png
      2. Issue Navigator
      s8.png

      Workaround

      • Remove Current Assignee on Browse Projects Permission

      Workaround to restrict issue view to 'Current Assignee' and Browse Project to only a specific group of users:
      If a Project is only relevant to one or several groups

      1. Add the related groups to the Role(Users) or Role(Developers) and remove unrelated groups that shouldn't see the project.
      2. Set Browse permissions for the Roles. (Remove 'Current Assignee' from Browse Project permission)
      3. Use Issue level security to restrict viewing to 'Current Assignee'
        Result: only groups and users in the Roles within Browse Project permission see the project and Browse only issues Assigned to them.
        Step by step instructions to set Security Level at How to limit user to only browse issues assigned to or reported by them

      Knowledge Base : Granting Browse Project permission to 'Current Assignee', 'Reporter' or 'User Custom Field Value' allows all users to view Project information

        1. s1.png
          16 kB
        2. s2.png
          54 kB
        3. s3.png
          76 kB
        4. s5.png
          31 kB
        5. s6.png
          31 kB
        6. s7.png
          24 kB
        7. s8.png
          32 kB

          Form Name

            [JRACLOUD-31720] Grant "Browse Project" permission to "Current Assignee" makes project visible to all users

            Hey, How are you doing?

            We created another bug for this situation:

            If you face the same issue as this bug, you can click on it, comment and vote on it.

            Best Regards;
            Tiago Fragoso
            Atlassian Cloud Support
             

            Tiago Fragoso added a comment - Hey, How are you doing? We created another bug for this situation: https://jira.atlassian.com/browse/JRACLOUD-80945 If you face the same issue as this bug, you can click on it, comment and vote on it. Best Regards; Tiago Fragoso Atlassian Cloud Support  

            If you can't fix this why just not remove an option to assign Reporter and Assignee for the Browse Project permission? This would completely fix this issue and after that an option to grant Current Assignees and Reporters to Browse Project would be treated as a feature which hard to implement (it's obvious that system needs to check all issues assignee or reporter field to render the list of available projects in this case, It would take a long time and a bunch of resources to perform). Leaving it the way you done it, just marking it as impossible to fix affecting your new customers and make them hate you and the way you work. 

            Daniil Chubiy added a comment - If you can't fix this why just not remove an option to assign Reporter and Assignee for the Browse Project permission? This would completely fix this issue and after that an option to grant Current Assignees and Reporters to Browse Project would be treated as a feature which hard to implement (it's obvious that system needs to check all issues assignee or reporter field to render the list of available projects in this case, It would take a long time and a bunch of resources to perform). Leaving it the way you done it, just marking it as impossible to fix affecting your new customers and make them hate you and the way you work. 

            Hi,

            this issue is very critical for our company, as any customer can basically browse the list of projects and therefore see and download the list of all other customers.

            We are very unhappy with your decision to deny the bug fix.

             

            Davide Mameli added a comment - Hi, this issue is very critical for our company, as any customer can basically browse the list of projects and therefore see and download the list of all other customers. We are very unhappy with your decision to deny the bug fix.  

            Dave Meyer added a comment -

            Hi everyone,

            We have reviewed the status of this issue and there are not currently plans to fix this bug in Jira Cloud. Extensive analysis over the last couple years has indicated that the complexity of addressing this bug without causing performance degradation for customers using permission schemes with user custom field grants is significant. Based on the number of customers that have actually been affected, we cannot justify the effort required to address it at this time.

            Thanks for your understanding.

            Regards,
            Dave Meyer
            Senior Product Manager, Jira Cloud

            Dave Meyer added a comment - Hi everyone, We have reviewed the status of this issue and there are not currently plans to fix this bug in  Jira Cloud . Extensive analysis over the last couple years has indicated that the complexity of addressing this bug without causing performance degradation for customers using permission schemes with user custom field grants is significant. Based on the number of customers that have actually been affected, we cannot justify the effort required to address it at this time. Thanks for your understanding. Regards, Dave Meyer Senior Product Manager, Jira Cloud

            When is the fix going to be released? This is effecting our productivity. The workaround suggested is not acceptable. That requires modification of all our permission schemes which is easily few days of effort. 

            Raju Gottumukkala added a comment - When is the fix going to be released? This is effecting our productivity. The workaround suggested is not acceptable. That requires modification of all our permission schemes which is easily few days of effort. 

            Is there any ETA for this security bug?

            Thomas Lindner added a comment - Is there any ETA for this security bug?

            Please deploy!

            Steve Kostrey added a comment - Please deploy!

            Would really like to see this fixed.
            Our company is being impacted heavily, as we can not honor NDA's properly with our customers.
            The workaround is not allowing customers to directly view assigned issues, and that causes a lot of overhead. Over 80 projects with over 700 users are impacted in our setup. Maintaining an updated users and roles list, for each issue in those projects, is not even remotely feasible.

            Stefan Bogdan Cimpeanu added a comment - Would really like to see this fixed. Our company is being impacted heavily, as we can not honor NDA's properly with our customers. The workaround is not allowing customers to directly view assigned issues, and that causes a lot of overhead. Over 80 projects with over 700 users are impacted in our setup. Maintaining an updated users and roles list, for each issue in those projects, is not even remotely feasible.

            Uhub Admin added a comment -

            Can we PLEASE get an ETA on this issue being resolved?

            I find it baffling that a Major regression bug that impacts 25% of your client base can not have even made it into active development in 2+ years

            Our JIRA instance supports 60+ (and growing rapidly) companies under the umbrella of our parent group, and many clients are given access.

            The projects that need this type of setup are predominantly HR (as only top level staff should be able to see all tickets, but will often need to loop in random staff for approval (client/project leads).

            This bug means that ALL of our HR projects show up in the project list, even for clients/suppliers. No, they cannot see any issues inside the project, but this is still information leakage (shows who is using it to manage HR tasks), and causes confusion/shouldn't be there in the first place.

            This is causing a massive headache for support and friction rolling out the tools for more and more teams.

            Uhub Admin added a comment - Can we PLEASE get an ETA on this issue being resolved? I find it baffling that a Major regression bug that impacts 25% of your client base can not have even made it into active development in 2+ years Our JIRA instance supports 60+ (and growing rapidly) companies under the umbrella of our parent group, and many clients are given access. The projects that need this type of setup are predominantly HR (as only top level staff should be able to see all tickets, but will often need to loop in random staff for approval (client/project leads). This bug means that ALL of our HR projects show up in the project list, even for clients/suppliers. No, they cannot see any issues inside the project, but this is still information leakage (shows who is using it to manage HR tasks), and causes confusion/shouldn't be there in the first place. This is causing a massive headache for support and friction rolling out the tools for more and more teams.

            Reproduced in 6.4.13 as well.

            Sonny Mendoza added a comment - Reproduced in 6.4.13 as well.

              Unassigned Unassigned
              aconde Alejandro Conde Carrillo (Inactive)
              Affected customers:
              70 This affects my team
              Watchers:
              90 Start watching this issue

                Created:
                Updated:
                Resolved: