Details
-
Bug
-
Resolution: Unresolved
-
Low
-
None
-
4.1
-
atlassian-jira-enterprise-4.1-SNAPSHOT-standalone build 566 on CentOS 5.4
java version "1.6.0_12"
-
4.01
-
Severity 3 - Minor
-
Description
If a user lacks the 'View Voters and Watchers' permission but has the 'Manage Watchers'; there is an inconsistency in the visible information available via JQL and the issue view.
For example, consider the following project's permission scheme:
Only members of the 'jira-administrators' are able to 'View Voters and Watchers'.
Such a user is able to do so via JQL:
Consider a user that is not a member of the 'jira-administrators' group and lacks the 'View Voters and Watchers' permission but is a member of the 'jira-developers' group which is conferred the 'Manage Watchers' permission:
They do not see the same list of issues as the member of the 'jira-administrators' group did via JQL:
However, if they view the issue, they are then allowed to view the watchers because of the conferred 'Manage Watchers' permission:
This is inconsistent with JQL where they are not allowed to view this information.
I suggest that either JQL allows users which possess the 'Manage Watchers' permission to be able to view watchers via the watcher clause in JQL; or that 'Manage Watchers' requires the user to also have the 'View Voters and Watchers' permission.
