Summary

User can set Issue Security to any level if the issue security level has User Custom Field Value or/and Group Custom Field Value assigned.

Steps to Reproduce

1. Create a new project (any type) 'Phoenix'.
2) Create a new user 'felix', make sure the 'jira-users' group is the only group 'felix' is added to, and only the Project Role - Users is assigned to 'felix'.
3) Create a new group called 'legendary', create a new user called 'kurt' and add him into the group.
3) Grant Edit Issue and Set Issue Security project permission to 'felix' in Phoenix project.
4) Create new custom fields below, associate to the Create Issue and Edit Issue screen in Phoenix project.

- Type: Group Picker (single group)
- Name: Team

- Type: User Picker (single user)
- Name: Who
- Filter: group 'legendary' only

5) For Phoenix project, create a new Issue Security Scheme called 'Tron' with Security Levels as per screenshot below.

Test 1:
a) As an admin or any other user than 'felix', create an issue in the Phoenix project, set the Team to 'legendary'.
b) In another browser, log in as 'felix'. Edit the issue created in a) to set a Security Level.

Test 2:
i) As an admin or any other user than 'felix', create an issue in the Phoenix project, set the Who to 'kurt'.
ii) In another browser, log in as 'felix'. Edit the issue created in i) to set a Security Level.

Expected Results

'felix' does not belong to group 'legendary' and he's not in the Administrator project role, he should not be able to see and set the level to L1.
'felix' does not belong to group 'legendary' and he's not the Project Lead, he should not be able to see and set the level to L2.
'felix' is not in the Developers project role, he should not be able to see and set the level to L3.

Actual Results

'felix' can see and set the Issue Security level to L1 and L2 (not as expected), but not L3 (as expected).
The Issue Security level is not respecting the value of Group Custom field and User Custom Field.

Workaround

n/a