Details
Description
Problem:
Project names are shown to users with no permission to see the project.
Impact:
Security hole!
Recipe:
(it helps to have two browsers open one logged in as admin the other as the user I will create called dummy)
- Add user dummy
- Add project blah
- Add custom field myuser of type user picker, global context and shown on all screens
- Remove all role assignments for project blah
- Grant yourself permission to create and edit issues in project blah
- Create issue BLAH-1
- Login as user dummy and check you cannot see project BLAH in BROWSE PROJECT -> All Projects (or BROWSE PROJECTS) (good)
- As the admin user edit project blah permission scheme
- Grant Browse Project permission to User Custom Field Value (myuser)
- Login as user dummy and notice that you can now see project BLAH in BROWSE PROJECT -> All Projects (or BROWSE PROJECTS) (bad!) but you cannot see issue BLAH-1 (good)
- As the admin user edit issue BLAH-1 and add user dummy to the myuser field
- As the dummy user you should now be able to see issue BLAH-1 (good)
The problem is that com.atlassian.jira.security.type.UserCF:hasProjectPermission() must return true for the user to see the issue even though com.atlassian.jira.security.type.UserCF:hasIssuePermission() exists to determine that. Making com.atlassian.jira.security.type.UserCF:hasProjectPermission() return false correctly stops the project appearing in the project list but also prevents the user viewing any issues.
I did a quick Google and checked for issues in this JIRA but couldn't find this bug.
Attachments
Issue Links
- duplicates
-
JRASERVER-37117 Grant "Browse Project" permission to "User Custom Field Value" makes project visible to all users
- Long Term Backlog
-
JRASERVER-14424 Separate permissions for issue filtering and project display
- Gathering Interest