Uploaded image for project: 'Jira Platform Cloud'
  1. Jira Platform Cloud
  2. JRACLOUD-75053

Grant "Browse Project" permission to "User Custom Field Value" makes project visible to all users

    • 152
    • 88
    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

      NOTE: This bug report is for JIRA Cloud. Using JIRA Server? See the corresponding bug report.

       

      Issue Summary

      Grant "Browse Project" permission to "User custom field value (XXXX)" makes the project is visible to all users. Regardless of whether that field is filled or not.

      Steps to Reproduce

      Go to the permission scheme > grant "Browse Project" permission to "User custom field value (XXXX)"

      Expected Results

      The project should not be visible to all users here: https://<sitename>.atlassian.net/projects

      Actual Results

      The project is visible to all users here: https://<sitename>.atlassian.net/projects

      Workaround

      Remove the "User custom field value (XXXX)" in the Browse project permission

            [JRACLOUD-75053] Grant "Browse Project" permission to "User Custom Field Value" makes project visible to all users

            This is still a bug and changing it to "suggestion" is simply wrong.  

            Why?

            In other settings we do in Jira you have to meet all criteria's to see something, not only one/some of them but in this case a project gets visible to all users as soon as to grant the"Browse Project" permission to Grant "Browse Project" permission to "User custom field value (XXXX)" 
            The solution proposed does not solve anything as far as I can see.

            To repeat the problem: 

            We use the "User custom field value (XXXX)" to give access to specific users on an issue basis.

            Example: 

            1. We create a field called "Custom Access" of type "User Picker (multiple users)"
            2. This field is associated with project A
            3. On issue A-1 se set the field to "Person 1, Person 2"

            Person 1 and person 2 can now se the issue regardless of being assignee or having other roles in the project. BUT everyone with access to the Jira instance can see the project name.

            As far as I can see the linked page dones NOT cover this senario, and I do not see how it can.

             

            Lars Sundell added a comment - This is still a bug and changing it to "suggestion" is simply wrong.   Why? In other settings we do in Jira you have to meet all criteria's to see something, not only one/some of them but in this case a project gets visible to all users as soon as to grant the"Browse Project" permission to Grant "Browse Project" permission to "User custom field value (XXXX)"  The solution proposed does not solve anything as far as I can see. To repeat the problem:  We use the "User custom field value (XXXX)" to give access to specific users on an issue basis. Example:  We create a field called "Custom Access" of type "User Picker (multiple users)" This field is associated with project A On issue A-1 se set the field to "Person 1, Person 2" Person 1 and person 2 can now se the issue regardless of being assignee or having other roles in the project. BUT everyone with access to the Jira instance can see the project name. As far as I can see the linked page dones NOT cover this senario, and I do not see how it can.  

            afang added a comment - - edited

            Hi everyone,

             

            This is Amy Fang from the Jira Everest team. We would like to thank you for all the comments on the current need to limit user access when granting "Browse Project" permission to "User custom field value (XXXX)" field.

            The current functionality, which is to make the project visible to all users when assigning "Browse Project" permission to "User custom field value (XXXX)" field, is expected. However, we understand the confusion and inconvenience this functionality caused, hence we have added warning messages when such permission grant action is attempted.

            We have also updated our public documentation to suggest issue-level security:

            I have thus converted this Bug to a Suggestion so that your votes will carry over and you can continue to track our progress. We will prioritise this feature request in our backlog as it has high user impact.

             

            Best,

            Amy Fang

            afang added a comment - - edited Hi everyone,   This is Amy Fang from the Jira Everest team. We would like to thank you for all the comments on the current need to limit user access when granting " Browse Project " permission to " User custom field value (XXXX) " field. The current functionality, which is to make the project visible to all users when assigning " Browse Project " permission to " User custom field value (XXXX) " field, is expected. However, we understand the confusion and inconvenience this functionality caused, hence we have added warning messages when such permission grant action is attempted. We have also updated our public documentation to suggest issue-level security : Limit users to only browse issues assigned to/reported by them in Jira Cloud Limit users to only browse issues assigned to/reported by them in Jira server I have thus converted this Bug to a Suggestion so that your votes will carry over and you can continue to track our progress. We will prioritise this feature request in our backlog as it has high user impact.   Best, Amy Fang

            How is this going? Please fix that, It's absolutely not acceptable to make the project visible to all user!

            Giovanni Girgenti added a comment - How is this going? Please fix that, It's absolutely not acceptable to make the project visible to all user!

            I see that Adarsh Mysore Thimmappa is no longer assignee on this (it is now unnasiged), but still "in Progress" which is clearly not right. What is happening on this bug?

            Lars Sundell added a comment - I see that Adarsh Mysore Thimmappa is no longer assignee on this (it is now unnasiged), but still "in Progress" which is clearly not right. What is happening on this bug?

            María Alario Oltra added a comment - - edited

            How is this going? Any update on when will this be solved?

            María Alario Oltra added a comment - - edited How is this going? Any update on when will this be solved?

            Happens also for "Group custom field value"

            Thomas Heidenreich (//S) added a comment - Happens also for " Group custom field value"

            Please fix asap guys!

            Алишер Кадамов added a comment - Please fix asap guys!

            Just encountered this issue as i am trying to migrate to using Jira to be customer facing away from Zendesk.

            However external customers can see an internal project that has this browse projects set up using a custom user picker. 

             

            Please fix!

            Sean McGarva added a comment - Just encountered this issue as i am trying to migrate to using Jira to be customer facing away from Zendesk. However external customers can see an internal project that has this browse projects set up using a custom user picker.    Please fix!

            if it is confirmed as Lars indicated, you absolutely must put the development of the https://jira.atlassian.com/browse/JSDCLOUD-1547 feature on the roadmap.
            Our customers require visibility rules worthy of an ITSM platform and this, like others, is a significant shortcoming!

            Marco Lovazzano added a comment - if it is confirmed as Lars indicated, you absolutely must put the development of the https://jira.atlassian.com/browse/JSDCLOUD-1547 feature on the roadmap. Our customers require visibility rules worthy of an ITSM platform and this, like others, is a significant shortcoming!

            What are the plans for this issue? The issue it is a clone of (JRACLOUD-37117) has some very worrying "conclusions".

            Are you seriously not going to fix an security issue because it is complex and hard to use. That is very worrying for us as a customer.

            Also: The server equivalent if this issue (JRASERVER-37117) has component "Security" which I assume brings it a bit up on the attention list. Why is that missing for this ticket?

            Lars Sundell added a comment - What are the plans for this issue? The issue it is a clone of ( JRACLOUD-37117 ) has some very worrying "conclusions". Are you seriously not going to fix an security issue because it is complex and hard to use. That is  very worrying for us as a customer. Also: The server equivalent if this issue (JRASERVER-37117) has component "Security" which I assume brings it a bit up on the attention list. Why is that missing for this ticket?

              Unassigned Unassigned
              mkeshet@atlassian.com Michal Keshet
              Votes:
              81 Vote for this issue
              Watchers:
              96 Start watching this issue

                Created:
                Updated: