Create Issue without Browse Project triggers 404 on assignee field

Summary

If the assignee field is added to the create issue screen, and a the permission scheme is set with "any logged in user" for Create issue and Assign User, BUT DOES NOT include the Browse Project permission. If the user creating an issue clicks into the Assignee field they trigger a pop up error

Environment

• JIRA Cloud
  • Tested on v1000.319.1
• JIRA Server
  • 7.2.0

Steps to Reproduce

1. Add assignee field to Create issue Screen (Default configuration)
2. Using the Default Permissions scheme or creating a custom scheme which has "Application Access any Logged in user" allow permission for:
   1. Assign Issue
   2. Create Issue
3. Remove permission Browse Project for "any logged in user"
4. Log in as a user that does not have Browse Project permission
5. User also has browse users global permission
6. Create issue in the project
7. Select the assignee field

Expected Results:

assignee field works as you are allowed to add assignee and browse users via permission scheme, or a warning indicating "you do not have adequate permissions to browse project details, Please contact your administrator" is displayed

Actual Results

A popup warning is triggered:

<URL_TO_INSTANCE> says:
The JIRA server was contacted but has returned an error response. We are unsure of the results of this operation.

[ ] Prevent this page from creating additional dialogs.

The following 404 appears in development tools javascript console

batch.js?agile_global_admin_condition=true&atlassian.aui.raphael.disabled=true&jag=true&jaguser=tru…:6011 GET https://<INSTANCE_NAME>/rest/api/latest/user/assignable/multiProje…earch?username=&projectKeys=TEST&maxResults=50&startAt=0&_=1473435327305 404 (Not Found)XMLHttpRequest.send @ batch.js?agile_global_admin_condition=true&atlassian.aui.raphael.disabled=true&jag=true&jaguser=tru…:6011send @ batch.js?atlassian.aui.raphael.disabled=true&locale=en-US:213ajax @ batch.js?atlassian.aui.raphael.disabled=true&locale=en-US:207u @ batch.js?atlassian.aui.raphael.disabled=true&locale=en-US:1289j.makeRequest @ batch.js?atlassian.aui.raphael.disabled=true&locale=en-US:1289makeRequest @ batch.js?atlassian.aui.raphael.disabled=true&locale=en-US:3407incubateRequest @ batch.js?atlassian.aui.raphael.disabled=true&locale=en-US:3407execute @ batch.js?atlassian.aui.raphael.disabled=true&locale=en-US:3407execute @ batch.js?atlassian.aui.raphael.disabled=true&locale=en-US:3407execute @ batch.js?atlassian.aui.raphael.disabled=true&locale=en-US:3407requestSuggestions @ batch.js?atlassian.aui.raphael.disabled=true&locale=en-US:3410requestSuggestions @ batch.js?atlassian.aui.raphael.disabled=true&locale=en-US:3834(anonymous function) @ batch.js?atlassian.aui.raphael.disabled=true&locale=en-US:1271_handleCharacterInput @ batch.js?atlassian.aui.raphael.disabled=true&locale=en-US:3410_handleCharacterInput @ batch.js?atlassian.aui.raphael.disabled=true&locale=en-US:3428(anonymous function) @ batch.js?atlassian.aui.raphael.disabled=true&locale=en-US:1271_handleCharacterInput @ batch.js?atlassian.aui.raphael.disabled=true&locale=en-US:3834(anonymous function) @ batch.js?atlassian.aui.raphael.disabled=true&locale=en-US:1271_handleDown @ batch.js?atlassian.aui.raphael.disabled=true&locale=en-US:3410click @ batch.js?atlassian.aui.raphael.disabled=true&locale=en-US:3410_dispatchers.(anonymous function) @ batch.js?atlassian.aui.raphael.disabled=true&locale=en-US:1274dispatch @ batch.js?atlassian.aui.raphael.disabled=true&locale=en-US:120h @ batch.js?atlassian.aui.raphael.disabled=true&locale=en-US:112
batch.js?atlassian.aui.raphael.disabled=true&locale=en-US:1289 ajax[38127306] error : {
successful  : false,
status      : 404,
statusText  : error,
hasData     : true,
readyState  : 4,
requestId   : 38127306,
aborted     : undefined,
}

Notes:

Testing discovered:

• If you know a user name you can add it to the field dismiss the error and create the issue and the assignee will populate
• An additional error occurs if you select the option Prevent this page From Creating Additional Dialogs.
  • After selecting the prevent option
  • If you try to modify the assignee field the Page locks up Indefinitely and cannot be escaped (ESC key, cancel Button)
    • there are two ways to exit the page at this point:
      • refreshing the page, and erase all content
      • Select the Create Button, but no other content can be added to the Create issue screen once locked, and as the user does not have browse project permission the issue cannot me changed later

Workaround's

1. Add Reporter to the browse Project Permission which will allow the user to View any Issue that they are the reporter on.
2. Use Issue collector which can set the assignee to the project lead with the use of use the Default Assignee of a project (Project Lead) for issues created.
3. Remove the assignee field from the create issue screen
4. Remove the user's association from the Assign issue permission to remove the field as an option on create for users without the permission
5. Remove the user's association from the Create issue permission so the user cannot create issue in the project that they cannot browse

To remove the Locking issue from selecting Prevent this page From Creating Additional Dialogs. Flush Browser cache and the error popup will return.