Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-14941

Users without permissions can browse projects that they do not have perms to if custom field-user picker

    XMLWordPrintable

Details

    Description

      If there is a custom field -user picker defined in the browse project section in permission scheme, then people who do not normally have permissions to view the project (and would not see the project on the dash) do see the project.

      Removing the custom field user-picker from the permission scheme does remove the visibility of the project.

      Confirmed behavior on client's dev instance via webex and on test

      If there are multiple issues in the project, the unprived user can see what he actually does have perm to see (i.e. if he is defined as a user in the custom field that is in browse project section), but if there are 0 issues that he has access to, he is still aware of the project.

      Reported in JSP-23027

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. JRASERVER-4935 "Browse Project" permission for "Current Reporter" grants users to see projects they are not permitted to.

          • Medium - Medium priority issues
          • Closed

          Activity

            People

              Unassigned Unassigned
              twong Tim Wong (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: