Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-14424

Separate permissions for issue filtering and project display

    XMLWordPrintable

Details

    • 1
    • 7
    • We collect Jira feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

    Description

      NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? See the corresponding suggestion.

      The "Browse projects" permission mixes up two different things: (1) permission to see a project at all, (2) permission to see project issues. These two capabilities should have distinct permissions. The current mixup drastically reduces the usefulness of granting permissions to "Reporter" and "Current assignee". A distinct "View project" permission should be required before any other permission is considered. The current "Browse projects" permission could be renamed to "Browse issues".

      Currently if you grant "Browse project" to "Reporter", ALL users can see ALL projects, even those where they have no role. Of course you can create a permission scheme per project, but that nullifies the whole point of having permission schemes.

      This subject has been extensively discussed previously (JRA-4093, JRA-4935, JRA-8950, JRA-11881, JRA-14307). A fix is identified in JRA-14307. It's great to have a patch, but much better to solve the underlying problem.

      Workaround
      This might help in some cases : https://confluence.atlassian.com/display/JIRA/Current+Reporter+Browse+Project+Permission.

      Attachments

        Issue Links

          is duplicated by

          Bug - A problem which impairs or prevents the functions of the product. JRASERVER-18812 "User Custom Field Value" permission type incorrectly exposes JIRA project names to everyone

          • Medium - Medium priority issues
          • Closed
          relates to

          Bug - A problem which impairs or prevents the functions of the product. JRASERVER-8950 "Current Assignee" on Browse Permission creates security hole

          • High - High priority issues
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. JRASERVER-4935 "Browse Project" permission for "Current Reporter" grants users to see projects they are not permitted to.

          • Medium - Medium priority issues
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. JRASERVER-11881 Setting Browse Projects to anything but a group makes projects visible to jira-users

          • Medium - Medium priority issues
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. JRASERVER-4093 Current Reporter view

          • Low - Low priority issues
          • Closed

          Suggestion - JRASERVER-14307 Add possibility to make projects visible only to by some users

          • Closed

          Suggestion - JRACLOUD-14424 Separate permissions for issue filtering and project display

          • Gathering Interest
          mentioned in

          Page Loading...

          Wiki Page Loading...

          Activity

            People

              Unassigned Unassigned
              e38f85614ab3 Hakan Soderstrom
              Votes:
              21 Vote for this issue
              Watchers:
              22 Start watching this issue

              Dates

                Created:
                Updated: