Loading...

XML

Word

Printable

Type: Bug
Resolution: Fixed
Priority: Low
Fix Version/s: 8.4.2, 8.5.0
Affects Version/s: 7.0.0, 7.5.2, 7.6.14, 7.9.0, 7.13.6, 8.3.3, 8.4.0
Component/s: Java API
Labels:
None

Fixed in Long Term Support Release/s:

Download 8.5
Introduced in Version:
7
Support reference count:
2
Symptom Severity:
Severity 3 - Minor
UIS:
1

Method AssigneeSystemField#validateParams is used to validate Assignee for multiple IssueService methods e.g.:

validateAssign
validateUpdate

It's supposed to get ApplicationUser user from these methods for validation (checking Assign Issues permission in particular). However, currently it doesn't and checks the permission against the current logged-in user instead:

hasPermission(ProjectPermissions.ASSIGN_ISSUES, issue, getAuthenticationContext().getLoggedInUser())

This is a bug in which:

The current logged-in user may be anyone and the validation may pass in an unexpected way if this user has Assign Issues permission
In case this user doesn't have the permission, this error is thrown regardless:
```
You do not have permission to assign issues.
```

causes

JRASERVER-42609 Assignee permission check during IssueService validateUpdate uses the JIRA authentication context user not the supplied user

Closed

relates to: MNSTR-3208 Loading...

Assignee:: Daniel Rauf
Reporter:: Andy Nguyen (Inactive)
Votes:: 4 Vote for this issue
Watchers:: 9 Start watching this issue

Created:: 20/Apr/2018 7:32 AM
Updated:: 22/May/2020 8:25 AM
Resolved:: 02/Oct/2019 6:29 PM

Details

Description

Attachments

Issue Links

Activity

People

Dates