-
Bug
-
Resolution: Duplicate
-
Low
-
None
-
6.4.6
-
6.04
-
Summary
- This bug is related to closed bug ticket https://jira.atlassian.com/browse/JRA-8950
- When the Current Assignee is given the Browse Project Permission, other users are able to view this Project.
- They can't necessarily view issues or create issues, but they can see the project from the View All Projects page.
- They are also able to see the project name at the project filter on the Issue Search navigator but no issues will be displayed. Only the name of the filter at Projects. When trying to search issues from restricted projects it will show "No issues were found to match your search" which is good.
Steps to Reproduce
1. ensure to have a jira instance with several projects e.g 'Project A' and 'Project B' - Done
2. ensure to have at least two different permission schemes e.g. 'Permission Scheme A' and 'Permission Scheme B' - Done
3. ensure to that e.g. 'Project A' uses the 'Permission Scheme A' and 'Project B' uses the 'Permission Scheme B' - Done
4. ensure that the 'Browse Project' permission is restricted to the appropriate project roles in each permission scheme e.g. to the project role 'Tester' -Done
5. ensure that e.g. 'User A' is assigned as 'Tester' to 'Project A' only, while 'User B' is assigned as 'Tester' to 'Project B' - Done
Expected Results:
User A is not supposed to be able to see Project B at all.
Actual Results:
User A is able to see Project A at various places :
1. View All Projects
2. Issue Navigator
Workaround
- Remove Current Assignee on Browse Projects Permission
- supersedes
-
JRASERVER-8950 "Current Assignee" on Browse Permission creates security hole
- Closed