Users without edit/resolve issues permission can still use Release > New version from a kanban board

XMLWordPrintable

    • 1
    • Severity 3 - Minor

      Issue Summary

      Users who have the Administer Projects permission but don't also have the Edit issues and Resolve issues permission should be prevented from releasing a new version from the kanban board.

      When users with this permission configuration attempt to do this, the update to the completed issues fails (with errors) and an empty version is created.

      Steps to Reproduce

      1. Create a software project using a kanban board, with the Releases feature enabled.
      2. Ensure the user has admin rights to the project, but not edit/resolve issues (missing either permission or both causes the same issue with a slightly different error message)
      3. Have at least one resolved issue in the last column, with no fix version set
      4. From the kanban board, go to the Releases > New version
      5. The modal to create a new version for your completed issues will appear, and allow you to enter the version details.
      6. Click the Release button.

      Expected Results

      If the user doesn't have all of the permissions required to complete the action, they should be stopped with a message explaining the permissions that are required and no changes made.

      This would be in line with the Release button itself being greyed out if the user doesn't have project admin permissions, with a tooltip explaining the permission required to use it. The Complete sprint button on a Scrum board also has this behaviour.

      Either the New version option in the release dropdown could be disabled, or the Release button in the new version popup could be disabled to prevent the user from proceeding.

      Actual Results

      An error is shown for each issue that was supposed to be in the release, but the release is still created with no issues attached to it even if you click on the Cancel link.

      Missing edit permission: "You do not have permission to edit issues in this project."

      Has edit permission but not resolve: "Could not update the issue(s). Either the issues are not editable, or you do not have permission to do so."

      When the user is missing the resolve permission the error is technically correct, but not helpful to identify the missing permission.

      Workaround

      The empty versions that have been created can be deleted from the Releases page.

      To prevent the user doing the same thing again, either:

      1. Give them both Edit issues and Resolve issues permissions, or
      2. Remove the Administer projects permission to prevent them from being able to create a version.

        1. editperm.png
          editperm.png
          75 kB
        2. resolveerror.png
          resolveerror.png
          83 kB

            Assignee:
            Unassigned
            Reporter:
            Eleanor Thomasson (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: