JIRA Permission Scheme exposes a Browse Project permission which should deny access to the project listing to anyone.

It is a valid configuration having a JIRA Admin who will be able to Create Projects although not have Browse Project permissions.

The "Create Project with Shared Configuration" feature exposes a Project dropdown which lists all the existing projects in the instance, without honor the Browse Project permissions.

Steps to reproduce:

Logged as admin:

• Create user "foo" in the administrator group (therefore it will have Create Project permissions)
• Create a "bar" project using Default Permission Scheme
• In Administration/Permission Schemes, remove administrator group from Browse Projects permission

Logged as foo:

• Navigate to "Projects"/"View All Projects", you won't be able to visualize "bar" project (correct behavior)
  Hit "Projects"/"Create project"
• Click on the bottom link "Create with shared configuration"
• In the "Choose a project" dropdown, you'll be able to list the "bar" project (unexpected behavior)