Project's permission bypass JIRA global permissions

XMLWordPrintable

    • 6.04
    • Severity 3 - Minor
    • Hide
      Atlassian Update – 28 May 2018

      Hi everyone,

      We have recently reviewed this issue and the overall interest in the problem. As the issue hasn't collect votes, watchers, comments, or support cases from many customers during its lifetime, it's very low on our priority list, and will not be fixed in the foreseeable future. That's why we've decided to resolve it as Time Out.

      Although we're aware the issue is still important to those of you who were involved in the conversations around it, we want to be clear in managing your expectations. The Jira team is focusing on issues that have broad impact and high value, reflected by the number of comments, votes, support cases, and customers interested. Please consult the Atlassian Bugfix Policy for more details.

      We understand how disappointing this decision may be, but we hope you'll appreciate our transparent approach and communication.
      Atlassian will continue to watch this issue for further updates, so please feel free to share your thoughts in the comments.

      Thank you,
      Ignat Alexeyenko
      Jira Bugmaster

      Show
      Atlassian Update – 28 May 2018 Hi everyone, We have recently reviewed this issue and the overall interest in the problem. As the issue hasn't collect votes, watchers, comments, or support cases from many customers during its lifetime, it's very low on our priority list, and will not be fixed in the foreseeable future. That's why we've decided to resolve it as Time Out . Although we're aware the issue is still important to those of you who were involved in the conversations around it, we want to be clear in managing your expectations. The Jira team is focusing on issues that have broad impact and high value, reflected by the number of comments, votes, support cases, and customers interested. Please consult the Atlassian Bugfix Policy for more details. We understand how disappointing this decision may be, but we hope you'll appreciate our transparent approach and communication. Atlassian will continue to watch this issue for further updates, so please feel free to share your thoughts in the comments. Thank you, Ignat Alexeyenko Jira Bugmaster

      Summary

      Users are able to create/comment issues via email without group membership if they are added directly to the project's permission.
      User shouldn't be able to do that since he can't access the application itself.

      Same applies to JIRA's notifications.

      Steps to Reproduce

      1. Remove user from all groups
      2. Add user directly to the project's "Browse Projects" and "Create Issues" permissions
      3. Send an email to JIRA form the user/trigger notification to user from JIRA

      Expected Results

      User doesn't create issues/receive notification since he can't log into JIRA

      Actual Results

      User successfully creates issues and receives notifications from JIRA

              Assignee:
              Unassigned
              Reporter:
              Marcus Silveira
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: