Users with no "Browse Users permissions" are able to fetch issues which are assigned to another user or reported by other user using advanced search filter

Issue Summary

Users with no "Browse Users permissions" are able to fetch issues which are assigned to another user or reported by other user using advanced search filter.

This is reproducible on Data Center: yes

Steps to Reproduce

1. Log into JIRA with a user which does not have Browse Users permissions
2. Use basic search filter to search for issues which are assigned to another user or are reported by another user
3. Also, use the advanced search filter to search for issues which are assigned to another user or are reported by another user

Expected Results

Users with no Browse Users permissions should not be allowed to fetch issues which are assigned to another user or are reported by another user. However, when search is performed by JQL the details can be fetched, though it fails when using basic search.

Actual Results

With Basic search the operation fails with response code 403 and error message that the user is not authorized.

Advanced search with JQL does shows response code as 400 and error message that the user is not authorized but still the issue details can be fetched.

Workaround

Currently there is no known workaround for this behavior. A workaround will be added here when available