Users without 'Bulk Change' Global Permission can see 'Bulk Operation' option for sub-task

XMLWordPrintable

    • Type: Bug
    • Resolution: Unresolved
    • Priority: Low
    • None
    • Affects Version/s: 7.10.0, 7.13.0, 7.13.1, 8.0.0-beta, 9.4.7
    • Component/s: Bulk Operations
    • None
    • 7.1
    • 11
    • Severity 3 - Minor
    • 2

      Summary

      When a user does not have the 'Bulk Change' Global Permission, they are still able to see the 'Bulk Operation' for sub-task. They can click on it and continue with the bulk operations. Only after the confirmation screen, the user will face Error 404 and the bulk operation will be dropped.

      Steps to reproduce the issue

      1. Login with a normal jira user account.
      2. Create a parent issue.
      3. Create two subtasks under the parent issue.
      4. Logout and login with Admin account and remove the jira user account from 'Bulk Change' Global Permission
      5. Logout and login with a normal jira user account and open the parent issue.
      6. At the "Sub-Tasks" option, click the Triple Dot and select "Bulk Operation"
      7. Select the two sub-tasks and proceed to click next.

      In the logs, we can see the following errors:

      2023-07-13 11:33:57,291+0000 http-nio-8080-exec-29 url: /internal-error ERROR      [c.a.j.web.servlet.InternalServerErrorServlet] {errorId=f752d0bc-8bf7-4077-a45a-97bcdbd7e4e1, interpretedMsg=, cause=java.lang.NullPointerException, stacktrace=java.lang.NullPointerException
    	at com.atlassian.jira.web.action.issue.bulkedit.BulkEdit1.lambda$getQuery$1(BulkEdit1.java:274) [classes/:?]
    	at java.base/java.util.Optional.orElseGet(Optional.java:369) [?:?]
    	at com.atlassian.jira.web.action.issue.bulkedit.BulkEdit1.getQuery(BulkEdit1.java:274) [classes/:?]
    	at com.atlassian.jira.web.action.issue.bulkedit.BulkEdit1.doValidation(BulkEdit1.java:111) [classes/:?]
    	at webwork.action.ActionSupport.validate(ActionSupport.java:391) [webwork-1.4-atlassian-31.jar:?]
    	at webwork.action.ActionSupport.execute(ActionSupport.java:162) [webwork-1.4-atlassian-31.jar:?]
    	at com.atlassian.jira.web.action.JiraWebActionSupport.execute(JiraWebActionSupport.java:1364) [jira-api-9.4.7.jar:?]
    	at webwork.interceptor.DefaultInterceptorChain.proceed(DefaultInterceptorChain.java:39) [webwork-1.4-atlassian-31.jar:?]
...
    , referer=https://JIRA-URL/issue/bulkedit/BulkEdit1!default.jspa?reset=true&searchParent=SC-1, servletErrorMessage=}

      Expected Results

      The 'Bulk Operation' should be hidden from the screen if the user does not have sufficient permission.

      Actual Results

      The 'Bulk Operation' is still visible despite user not having sufficient permission for the action.

      Workaround

      • Grant the 'Bulk Change' global permission to the user (if the user is eligible to do the bulk action)

        1. Sub-task.png
          55 kB
          Irfan Mazli Mazuki

            Assignee:
            Unassigned
            Reporter:
            Irfan Mazli Mazuki (Inactive)
            Votes:
            9 Vote for this issue
            Watchers:
            12 Start watching this issue

              Created:
              Updated: