-
Bug
-
Resolution: Unresolved
-
Medium
-
22
-
Severity 2 - Major
-
6
-
NOTE: This bug report is for JIRA Cloud. Using JIRA Server? See the corresponding bug report.
Summary
- This bug is related to closed bug ticket https://jira.atlassian.com/browse/JRA-31720
- When the Current Assignee is given the Browse Project Permission, other users are able to view this Project.
- They can't necessarily view issues or create issues, but they can see the project from the View All Projects page.
- They are also able to see the project name at the project filter on the Issue Search navigator but no issues will be displayed. Only the name of the filter at Projects. When trying to search issues from restricted projects it will show "No issues were found to match your search" which is good.
Steps to Reproduce
1. ensure to have a Jira instance with several projects e.g 'Project A' and 'Project B' - Done
2. ensure to have at least two different permission schemes e.g. 'Permission Scheme A' and 'Permission Scheme B' - Done
3. ensure to that e.g. 'Project A' uses the 'Permission Scheme A' and 'Project B' uses the 'Permission Scheme B' - Done
4. ensure that the 'Browse Project' permission is restricted to the appropriate project roles in each permission scheme e.g. to the project role 'Tester' -Done
5. ensure that e.g. 'User A' is assigned as 'Tester' to 'Project A' only, while 'User B' is assigned as 'Tester' to 'Project B' - Done
6. Add the Current Assignee permission to the Permission scheme A
Expected Results:
User A is not supposed to be able to see Project B at all.
Actual Results:
User B will see Project A even though doesn't have permission for it.
Workaround
- Remove Current Assignee on Browse Projects Permission
Workaround to restrict issue view to 'Current Assignee' and Browse Project to only a specific group of users:
If a Project is only relevant to one or several groups
- Add the related groups to the Role(Users) or Role(Developers) and remove unrelated groups that shouldn't see the project.
- Set Browse permissions for the Roles. (Remove 'Current Assignee' from Browse Project permission)
- Use Issue level security to restrict viewing to 'Current Assignee'
Result: only groups and users in the Roles within Browse Project permission see the project and Browse only issues Assigned to them.
Step by step instructions to set Security Level at How to limit user to only browse issues assigned to or reported by them
Knowledge Base : Granting Browse Project permission to 'Current Assignee', 'Reporter' or 'User Custom Field Value' allows all users to view Project information
- is cloned from
-
JRACLOUD-31720 Grant "Browse Project" permission to "Current Assignee" makes project visible to all users
- Closed
- mentioned in
-
Page Loading...