Details
-
Bug
-
Resolution: Unresolved
-
High
-
None
-
8.13.22, 9.1.0, 8.20.11
-
8.13
-
7
-
Severity 2 - Major
-
1
-
-
Description
Issue Summary
If within a project the 'Browse Project Archive' and 'Browse Project' permissions are granted to 'Group Custom Field' or to the 'Reporter' option within the permission scheme, the project will become available to search for any user with the 'Browse Project Archive' permission in any project within Issues > Archive Issues. This allows the user to search for (but not view) issues in projects they do not have access to.
This is reproducible on Data Center: (yes)
Steps to Reproduce
- Create two projects (Project A and Project B) and a limited access user (user 1).
- Grant user 1 the Browse Project Archive and Browse Projects permissions for Project A only.
- Ensure user 1 has no rights to project B explicitly.
- Archive an issue from Project A and Project B.
- As user 1 attempt to search Archived Issues via Issues > Archived Issues (perform an empty search and notice you should only see the archived issues from Project A).
- For Project B, grant the 'Browse Project Archive' and 'Browse Projects' permissions to a 'Group Custom Field Value'.
- Do not populate the custom field selected for the permission for issues in Project B.
- As user 1, attempt to search for archived issues again via Issues > Archived Issues (notice this time you see Project A and Project B archived issues in the results list even though you do not have any rights to Project B).
Expected Results
If the user it not explicitly assigned the 'Browse Project Archive'/'Browse Projects' or the Custom Field is not filled in to grant the user the ability to see the project archive for these issues, the results should not show these issues.
Actual Results
The user is shown results in the result list for projects that they do not have the 'Browse Project Archive'/'Browse Projects' permission for. Although they cannot view these issues if they try to open it, they can see the Summary in the result set.
Doing a standard issue search via Issues > Search for Issues does not show issues in the result set. But the Archive Search does.
Workaround
The only workaround currently is not use the reporter or custom field option when setting the permissions for the Browse Project Archive/Browse Projects permissions.
Attachments
Issue Links
- mentioned in
-
Page Loading...