Uploaded image for project: 'Jira Cloud'
  1. Jira Cloud
  2. JRACLOUD-31720

Grant "Browse Project" permission to "Current Assignee" makes project visible to all users

    XMLWordPrintable

Details

    Description

      NOTE: This bug report is for JIRA Cloud. Using JIRA Server? See the corresponding bug report.

       

      Status Update

      Hi everyone,

      We have reviewed the status of this issue and there are not currently plans to fix this bug in Jira Cloud. Extensive analysis over the last couple years has indicated that the complexity of addressing this bug without causing performance degradation for customers using permission schemes with user custom field grants is significant. Based on the number of customers that have actually been affected, we cannot justify the effort required to address it at this time.

      Thanks for your understanding.

      Regards,
      Dave Meyer
      Senior Product Manager, Jira Cloud

       

      Summary

      1. This bug is related to closed bug ticket https://jira.atlassian.com/browse/JRA-8950
      2. When the Current Assignee is given the Browse Project Permission, other users are able to view this Project.
      3. They can't necessarily view issues or create issues, but they can see the project from the View All Projects page.
      4. They are also able to see the project name at the project filter on the Issue Search navigator but no issues will be displayed. Only the name of the filter at Projects. When trying to search issues from restricted projects it will show "No issues were found to match your search" which is good.

      Steps to Reproduce

      1. ensure to have a jira instance with several projects e.g 'Project A' and 'Project B' - Done
      2. ensure to have at least two different permission schemes e.g. 'Permission Scheme A' and 'Permission Scheme B' - Done
      3. ensure to that e.g. 'Project A' uses the 'Permission Scheme A' and 'Project B' uses the 'Permission Scheme B' - Done

      4. ensure that the 'Browse Project' permission is restricted to the appropriate project roles in each permission scheme e.g. to the project role 'Tester' -Done


      5. ensure that e.g. 'User A' is assigned as 'Tester' to 'Project A' only, while 'User B' is assigned as 'Tester' to 'Project B' - Done

      Expected Results:

      User A is not supposed to be able to see Project B at all.

      Actual Results:

      User A is able to see Project A at various places :
      1. View All Projects

      2. Issue Navigator

      Workaround

      • Remove Current Assignee on Browse Projects Permission

      Workaround to restrict issue view to 'Current Assignee' and Browse Project to only a specific group of users:
      If a Project is only relevant to one or several groups

      1. Add the related groups to the Role(Users) or Role(Developers) and remove unrelated groups that shouldn't see the project.
      2. Set Browse permissions for the Roles. (Remove 'Current Assignee' from Browse Project permission)
      3. Use Issue level security to restrict viewing to 'Current Assignee'
        Result: only groups and users in the Roles within Browse Project permission see the project and Browse only issues Assigned to them.
        Step by step instructions to set Security Level at How to limit user to only browse issues assigned to or reported by them

      Knowledge Base : Granting Browse Project permission to 'Current Assignee', 'Reporter' or 'User Custom Field Value' allows all users to view Project information

      Attachments

        1. s1.png
          16 kB
        2. s2.png
          54 kB
        3. s3.png
          76 kB
        4. s5.png
          31 kB
        5. s6.png
          31 kB
        6. s7.png
          24 kB
        7. s8.png
          32 kB

        Issue Links

          Activity

            People

              Unassigned Unassigned
              aconde Alejandro Conde Carrillo (Inactive)
              Votes:
              70 Vote for this issue
              Watchers:
              89 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: