Add-On Project Role allows Project Administrators to Gain Access to All Permission

XMLWordPrintable

    • 4
    • Severity 3 - Minor

      Problem Description

      By default, when installing an Atlassian Connect add-on, it creates a new role as atlassian-addons-project-access on all projects. And in the project permission scheme, it added the role atlassian-addons-project-access to gain access to all permission.

      This creates a problem for the scenario below, where a user (not JIRA Administrator) is given Administer Projects with limited permissions. The user gains the ability to add his user to the project role atlassian-addons-project-access and granted access to all permissions.

      Note:

      • Project Administrator has no ability to change the project permission.
      • Project Administrator has the ability to add users to role

      Steps to Replicate

      1. Create a project
      2. Create a normal user without JIRA Administrator global permission
      3. Grant the user to Administer Projects permission on the project permission scheme
      4. Install an add-on
      5. Using the user navigate to the project setting permission scheme
      6. Notice that user is unable to change the project permission
      7. Navigate to the Users and roles page
      8. Notice that user able to add another user to role atlassian-addons-project-access and gain access to all permission

      Expected Behavior

      Project administrators are unable to add any user to the role atlassian-addons-project-access as it is meant to be add-on usage only. This would prevent them from granting themselves full permission for the project.

      Actual Behavior

      Project administrators are able to grant full permission by adding themselves to the role atlassian-addons-project-access

      Workaround

      You can manually change the add-on permission group by adding the groups to the permission scheme and remove the project role atlassian-addons-project-access, that will ensure that the add-on function as it should and project administrators were not able to elevate their permission.

      Do note of the following limitation by the workaround:

      • New add-on installation will recreate role and added back to the permission scheme
      • It might require you to perform clean up if this bug is fixed

            Assignee:
            Unassigned
            Reporter:
            Richie Gee (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: