Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-42609

Assignee permission check during IssueService validateUpdate uses the JIRA authentication context user not the supplied user

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Low Low
    • 8.4.2, 8.5.0
    • 7.0.0, 7.2.15, 8.0.0, 7.6.14, 8.4.0, 7.13.6, 8.3.3
    • Java API

      NOTE: This bug report is for JIRA Server. Using JIRA Cloud? See the corresponding bug report.

      If the JiraAuthenticationContext is null (as it is for services) the IssueService validateUpdate fails on the assignee permission check, despite the api being given a user.

      public UpdateValidationResult validateUpdate(ApplicationUser user, Long issueId, IssueInputParameters issueInputParameters)
      

      When a NULL JAC context is present, when updating an issue, with no ASSIGNEE property present, the errors variable in the above method contain:

      Errors: {}
      Error Messages: [You do not have permission to assign issues.]
      

      If the 'user' above is set as the JiraAuthenticationContext user, then no such error occurs.

      During validateAndUpdateIssueFromFields() >

      public void validateParams(OperationContext operationContext, ErrorCollection errorCollectionToAddTo, I18nHelper i18n, Issue issue, FieldScreenRenderLayoutItem fieldScreenRenderLayoutItem)
      

      This method doesn't get the 'user' that was supplied through the issueservice validate method, which is a bug, the validateParams() method has:

                  // The user must have 'assign' permission - as otherwise 'automatic' should be chosen, or the field should not
                  // be presented at all
                  if (!hasPermission(issue, Permissions.ASSIGN_ISSUE))
                  {
                      errorCollectionToAddTo.addErrorMessage(i18n.getText("assign.error.no.permission"), Reason.FORBIDDEN);
                      return;
                  }
      

      which leads to:

      permissionManager.hasPermission(permissionId, issue, getAuthenticationContext().getUser());
      

      Therefore services need to hack the JiraAuthenticationContext user to be the same user being supplied through the issueservice API in order to stop validation errors, which should not be the case, it should use the user supplied through the issueservice validate method.

              drauf Daniel Rauf
              cd3cc7134331 Andy Brook
              Votes:
              16 Vote for this issue
              Watchers:
              14 Start watching this issue

                Created:
                Updated:
                Resolved: