-
Bug
-
Resolution: Duplicate
-
Medium
-
None
-
5.2.2, 5.2.11, 6.1
-
5.02
-
Steps to reproduce
- Create a project with and set only 'Reporter' in the 'Browse Project' permission for the project.
Expected Behavior
- Atleast, only users who have the 'create issue' permission for the project and/or have already created issues in the project should be able to see it.
Actual Behavior
- All logged-in users are actually able to see the project, including users who don't have create issue permissions and are not potentially reporters.
- They are however not able to see any issues in the project.
- Removing 'Reporter' from the 'Browse Project' permission, removes any unauthorised access to the project again.
Other notes:
- This bug seems to match the exact same behavior as reported for the 'Current Reporter' permission in https://jira.atlassian.com/browse/JRA-34389. However, I have created a seperate bug for it because this documentation clearly states that the 'reporter' permission is different from the 'current reporter' permission. If this is a mistake, I guess the ticket can be closed as such.
- The obvious workaround ofcourse is not to use 'Reporter' at all in the 'Browse Project Permissions', but the problem with this is that some use-cases need to allow any body who has created an issue in a project to be able to browse the project and atleast access issues they have reported.
- duplicates
-
JRASERVER-34389 Regression - "Browse Project" permission for "Reporter" grants users to see projects they are not permitted to.
- Short Term Backlog