Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-67183

validateParams validates the wrong user

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Low Low
    • 8.4.2, 8.5.0
    • 7.5.2, 7.0.0, 7.9.0, 7.6.14, 8.4.0, 7.13.6, 8.3.3
    • Java API
    • None

      Method AssigneeSystemField#validateParams is used to validate Assignee for multiple IssueService methods e.g.:

      • validateAssign
      • validateUpdate

      It's supposed to get ApplicationUser user from these methods for validation (checking Assign Issues permission in particular). However, currently it doesn't and checks the permission against the current logged-in user instead:

      hasPermission(ProjectPermissions.ASSIGN_ISSUES, issue, getAuthenticationContext().getLoggedInUser())
      

      This is a bug in which:

      • The current logged-in user may be anyone and the validation may pass in an unexpected way if this user has Assign Issues permission
      • In case this user doesn't have the permission, this error is thrown regardless:
        You do not have permission to assign issues.
        

         

              drauf Daniel Rauf
              vdung Andy Nguyen (Inactive)
              Votes:
              4 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated:
                Resolved: