-
Bug
-
Resolution: Unresolved
-
Low
-
None
-
7.10.0, 7.13.0, 7.13.1, 8.0.0-beta, 9.4.7
-
None
-
7.1
-
8
-
Severity 3 - Minor
-
1
-
Summary
When a user does not have the 'Bulk Change' Global Permission, they are still able to see the 'Bulk Operation' for sub-task. They can click on it and continue with the bulk operations. Only after the confirmation screen, the user will face Error 404 and the bulk operation will be dropped.
Steps to reproduce the issue
- Login with a normal jira user account.
- Create a parent issue.
- Create two subtasks under the parent issue.
- Logout and login with Admin account and remove the jira user account from 'Bulk Change' Global Permission
- Logout and login with a normal jira user account and open the parent issue.
- At the "Sub-Tasks" option, click the Triple Dot and select "Bulk Operation"
- Select the two sub-tasks and proceed to click next.
In the logs, we can see the following errors:
2023-07-13 11:33:57,291+0000 http-nio-8080-exec-29 url: /internal-error ERROR [c.a.j.web.servlet.InternalServerErrorServlet] {errorId=f752d0bc-8bf7-4077-a45a-97bcdbd7e4e1, interpretedMsg=, cause=java.lang.NullPointerException, stacktrace=java.lang.NullPointerException
at com.atlassian.jira.web.action.issue.bulkedit.BulkEdit1.lambda$getQuery$1(BulkEdit1.java:274) [classes/:?]
at java.base/java.util.Optional.orElseGet(Optional.java:369) [?:?]
at com.atlassian.jira.web.action.issue.bulkedit.BulkEdit1.getQuery(BulkEdit1.java:274) [classes/:?]
at com.atlassian.jira.web.action.issue.bulkedit.BulkEdit1.doValidation(BulkEdit1.java:111) [classes/:?]
at webwork.action.ActionSupport.validate(ActionSupport.java:391) [webwork-1.4-atlassian-31.jar:?]
at webwork.action.ActionSupport.execute(ActionSupport.java:162) [webwork-1.4-atlassian-31.jar:?]
at com.atlassian.jira.web.action.JiraWebActionSupport.execute(JiraWebActionSupport.java:1364) [jira-api-9.4.7.jar:?]
at webwork.interceptor.DefaultInterceptorChain.proceed(DefaultInterceptorChain.java:39) [webwork-1.4-atlassian-31.jar:?]
...
, referer=https://JIRA-URL/issue/bulkedit/BulkEdit1!default.jspa?reset=true&searchParent=SC-1, servletErrorMessage=}
Expected Results
The 'Bulk Operation' should be hidden from the screen if the user does not have sufficient permission.
Actual Results
The 'Bulk Operation' is still visible despite user not having sufficient permission for the action.
Workaround
- Grant the 'Bulk Change' global permission to the user (if the user is eligible to do the bulk action)
- is related to
-
JRASERVER-67632 NPE when doing Sub-Tasks "Bulk Operation"
- Gathering Impact
- mentioned in
-
Page Loading...