Details
-
Bug
-
Resolution: Fixed
-
Medium
-
3.8.1, 3.11
-
None
-
3.08
-
Description
Users may not be able to see certain issues in the IssueNavigator, if they create an issue level security, where the permission depends on a user custom field where the customfield does not have a searcher set. Browsing the issue directly, works fine, however when running a search the issue wont be displayed. The problem is basically that when running a search, permission checks are carried out against the index. In order for this permission check to work if the issue security level depends on a user custom field, then the value of that customfield needs to be indexed. This however only happens if a searcher has been set for the customfield.
The boolean permissions query being constructed may look something like this (depending on the groups a user may be in):
issue_security_level:-1 (+(+issue_security_level:10000 +(customfield_10000:jira-users customfield_10000:jira-developers)))
If customfield_10000 does not exist in the indexed documents (which will be the case if no searcher has been defined) then this query will always return false.
The workaround for this is to set a searcher for your customfield and and reindex JIRA.
In the long run we'll have to fix this by either:
- Indexing user custom fields always (regardless if a searcher has been set or not)
- Not allow users to remove a searcher for a user customfield that's being used as a permission. Similarly not allow users to add a user customfield as a permission without a searcher.
- When the permission lucene query is being constructed, query the DB directly if the user customfield has not been indexed.
Attachments
Issue Links
- incorporates
-
JRASERVER-12448 Deleting a custom field which has an issue security scheme or permission scheme on it does not update the index and issue navigator is out of date
- Closed
- is duplicated by
-
JRASERVER-14670 AddPermission action needs extra validation for User Custom Field and Group Selector fields
- Closed