Summary

Granting Current Assignee to the Administer Project permissions will allow users to see ALL Projects that are assigned to that Permission Scheme. You can see the projects even if the user does not have any assigned issues in the project or even if the user is not listed as site-admin. This is a security issue since it will allow users access to view Project Setting as well as Edit some Project fields

Environment

• JIRA Cloud: 1000.1162.0

Steps to Reproduce

Isolate test user to only have JIRA application access on instance and no other Project Permissions:

1. Create sample user. (You can use any user that does not have any issue created or assigned)
2. Creating new group: test-group
3. Add group to user
4. Removing all other groups from user so that the only group is test-group
5. Add JIRA Application Access to group-test: https://<example>.atlassian.net/admin/accessconfig (just can sign in, no admin permission)
6. Login in as user
7. Cog Wheel is NOT be present in top right for JIRA Administration> This is good news and is intended
8. User Browse Project page: https://<example>.atlassian.net/secure/BrowseProjects.jspa?selectedCategory=all&selectedProjectType=all > Should only see the project they have access too. In this test, only project using Any Logged in User permission. This is right
9. Paste the Admin Project Page (Page which the example user cannot navigate to via the UI) > https://<example>.atlassian.net/secure/project/ViewProjects.jspa
10. Cannot see a list of project, this is good and right > error:

    You do not have the permissions to administer any projects, or there are none created.
    

Create Bug: Add Current Assignee to the Administer Project permissions for a Test Permission scheme

1. Adding Current Assignee to Administer project permission for sample Permission Scheme
2. Make sure Permission scheme has attached a few Projects
3. Log in as test user
4. Now you can see the cog wheel top right to Administer JIRA. Only selection in drop down is Projects
5. Clicking Project will take you to the Project Admin page > https://<example>.atlassian.net/secure/project/ViewProjects.jspa
6. You can see All projects that have the test permission scheme attached. Even if the user never had access to view these project or if they are not a site-admin. Users also can make changes to certain fields

Expected Results

• For users to only be able Administer Project which they have Assigned tickets
• For user to only be able to view and access project that they have Assigned tickets

Actual Results

• End users are able to view ALL Projects attached to the permission scheme with Current Assignee listed for Administer Project permission
• User is also able to make changes to these project
• The list of Projects attached to Permission scheme are visible by all users, including non-admins. Even if user does not have any issues assigned to them in the project

Notes

Related bugs:

• https://jira.atlassian.com/browse/JRACLOUD-31720
• https://jira.atlassian.com/browse/JRACLOUD-37117

Feature request:

• https://jira.atlassian.com/browse/JRACLOUD-37057

Workaround

Remove Current Assignee from the Administer Project permissions for all permission schemes

Query to narrow down the Permission Schemes affected:

SELECT SP.perm_type AS Role, SP.perm_parameter AS GroupName, PS.name AS PermissionSchemeName, SP.permission_key AS Permission
FROM schemepermissions SP 
INNER JOIN permissionscheme PS ON SP.scheme = PS.id
WHERE SP.permission_key = 'ADMINISTER_PROJECTS' 
AND SP.perm_type = 'assignee';