Uploaded image for project: 'Jira Data Center'
  1. Jira Data Center
  2. JRASERVER-67662

Users without 'Bulk Change' Global Permission can see 'Bulk Operation' option for sub-task

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Low Low
    • None
    • 7.10.0, 7.13.0, 7.13.1, 8.0.0-beta, 9.4.7
    • Bulk Operations
    • None

      Summary

      When a user does not have the 'Bulk Change' Global Permission, they are still able to see the 'Bulk Operation' for sub-task. They can click on it and continue with the bulk operations. Only after the confirmation screen, the user will face Error 404 and the bulk operation will be dropped.

      Steps to reproduce the issue

      1. Login with a normal jira user account.
      2. Create a parent issue.
      3. Create two subtasks under the parent issue.
      4. Logout and login with Admin account and remove the jira user account from 'Bulk Change' Global Permission
      5. Logout and login with a normal jira user account and open the parent issue.
      6. At the "Sub-Tasks" option, click the Triple Dot and select "Bulk Operation"
      7. Select the two sub-tasks and proceed to click next.

      In the logs, we can see the following errors:

      2023-07-13 11:33:57,291+0000 http-nio-8080-exec-29 url: /internal-error ERROR      [c.a.j.web.servlet.InternalServerErrorServlet] {errorId=f752d0bc-8bf7-4077-a45a-97bcdbd7e4e1, interpretedMsg=, cause=java.lang.NullPointerException, stacktrace=java.lang.NullPointerException
    	at com.atlassian.jira.web.action.issue.bulkedit.BulkEdit1.lambda$getQuery$1(BulkEdit1.java:274) [classes/:?]
    	at java.base/java.util.Optional.orElseGet(Optional.java:369) [?:?]
    	at com.atlassian.jira.web.action.issue.bulkedit.BulkEdit1.getQuery(BulkEdit1.java:274) [classes/:?]
    	at com.atlassian.jira.web.action.issue.bulkedit.BulkEdit1.doValidation(BulkEdit1.java:111) [classes/:?]
    	at webwork.action.ActionSupport.validate(ActionSupport.java:391) [webwork-1.4-atlassian-31.jar:?]
    	at webwork.action.ActionSupport.execute(ActionSupport.java:162) [webwork-1.4-atlassian-31.jar:?]
    	at com.atlassian.jira.web.action.JiraWebActionSupport.execute(JiraWebActionSupport.java:1364) [jira-api-9.4.7.jar:?]
    	at webwork.interceptor.DefaultInterceptorChain.proceed(DefaultInterceptorChain.java:39) [webwork-1.4-atlassian-31.jar:?]
...
    , referer=https://JIRA-URL/issue/bulkedit/BulkEdit1!default.jspa?reset=true&searchParent=SC-1, servletErrorMessage=}

      Expected Results

      The 'Bulk Operation' should be hidden from the screen if the user does not have sufficient permission.

      Actual Results

      The 'Bulk Operation' is still visible despite user not having sufficient permission for the action.

      Workaround

      • Grant the 'Bulk Change' global permission to the user (if the user is eligible to do the bulk action)

        1. Sub-task.png
          Sub-task.png
          55 kB

              Unassigned Unassigned
              imazuki Irfan Mazli Mazuki (Inactive)
              Votes:
              8 Vote for this issue
              Watchers:
              13 Start watching this issue

                Created:
                Updated: