Details
-
Bug
-
Resolution: Won't Fix
-
Medium
-
None
-
6.0.3, 6.0.4
-
None
-
6
-
Description
Lets say we have a user_A with the following permissions:
- Manage Watchers
- Browse Projects
- But this user does not have the Browse Users global permission.
When user_A attempts to add a user to the list of Watchers for an issue, he gets this screen: NoBrowseUsers_Permission.jpg Basically the user cannot see any users in the list to add.
However, user_A can still add users to the watchers list, but he has to type their username. Although the auto-complete doesn't work, if you type the full username and press "enter", the user will be added to the watchlist.
Isn't this a security concern, when you don't want to allow user_A to browse other users, but you allow user_A to add usernames to the watchlist?
==== Steps to reproduce ====
- Install JIRA 6.0.4
- Create a new project.
- Create user_A and add this user to the Manage Watchers and Browse Projects permission in the project's permission scheme.
- Remove this user from the Browse Users global permission.
- Create an issue, and get user_A to edit the Watchers list, and add another user via username. Observe that the autocomplete doesn't work but the username is still added.