-
Bug
-
Resolution: Unresolved
-
Low
-
None
-
9.4.6
-
9.04
-
1
-
Severity 3 - Minor
-
0
-
Issue Summary
Users with no "Browse Users permissions" are able to fetch issues which are assigned to another user or reported by other user using advanced search filter.
This is reproducible on Data Center: yes
Steps to Reproduce
- Log into JIRA with a user which does not have Browse Users permissions
- Use basic search filter to search for issues which are assigned to another user or are reported by another user
- Also, use the advanced search filter to search for issues which are assigned to another user or are reported by another user
Expected Results
Users with no Browse Users permissions should not be allowed to fetch issues which are assigned to another user or are reported by another user. However, when search is performed by JQL the details can be fetched, though it fails when using basic search.
Actual Results
With Basic search the operation fails with response code 403 and error message that the user is not authorized.
Advanced search with JQL does shows response code as 400 and error message that the user is not authorized but still the issue details can be fetched.
Workaround
Currently there is no known workaround for this behavior. A workaround will be added here when available
