-
Bug
-
Resolution: Unresolved
-
Low (View bug fix roadmap)
-
None
-
6.4, 7.1.8, 9.12.7, 9.17.2
-
6.04
-
8
-
Severity 3 - Minor
-
1
-
NOTE: This bug report is for JIRA Server. Using JIRA Cloud? See the corresponding bug report.
Summary
Creating issue links to projects for which I do not have Link Issues permissions
Steps to Reproduce
- Create 2 projects in JIRA: project A and project B
- Project A is using default permission scheme, where Link Issues permission is set to Any Logged In user
- Project B is using a modified permission scheme where no role has the permissions to Link Issues
- Find an Issue in Project A, and link it to any issue in project B
Expected Results
Either result would be expected here:
- JIRA creates the link on issue A, which is allowed per the permissions above, but does not create a link on issue in project B.
- Or JIRA warns user that a reciprocal link can't be created on Issue B due to permissions (either way when we look at Issue B, we should not see any links)
Actual Results
JIRA creates the link on both issues, despite project B's permission scheme that does not allow any user to link issues
Notes
Workaround
none
Original Description
This happened in a single-server setup, I had two projects, Project A and Project B. My user only had the Link Issues permission in Project A.
I then tried to create an issue link from an issue in Project A to one in Project B which worked fine. I expected the issue link operation to fail b/c I just created an issue link on an issue of a project where I don't have the Link Issues permission. That just feels like breaking the permission restrictions.
- causes
-
-
- Gathering Impact
-
- duplicates
-
-
- Gathering Impact
-
- is related to
-
JRASERVER-78044 Have the create Issue link work the same way in the Rest API as in the UI
- Gathering Interest
- relates to
-
-
- Closed
-
-
JDEV-37017 Failed to load
[JRASERVER-61246] I can create issue links to projects for which I do not have Link Issues permissions
I think this is how I would expect linking to work. The use case is that I want third party contractors to be able to add links to issues in projects that they cannot view. And I want them to see that there are links to other project's issues in the issues that they can view. The only leak of information here is the project key
Perhaps the documentation about Link Issues permission needs to be more explicit, e.g.
"Link Issues allows a user to create links from the current issue to other issues, even if the user is unable to view the target issues. Reciprocal links are always created."
Note that if you don't have Browse permission on project B you can still create a link to an issue in Project B by entering the issue key. You just don't get to see the summary of the issue.
We need to restrict all linking to a project Jira in a particular status. But haven't found a way to do that. All solutions we've tried only blocks outgoing links from that project yet still allows other projects to link to it.