-
Type:
Bug
-
Resolution: Unresolved
-
Priority:
Low
-
None
-
Affects Version/s: 9.4.7, 9.11.2
-
9.04
-
3
-
Severity 3 - Minor
Issue Summary
REST API - rest/api/2/user/viewissue/search Does not respect permissions, doing this REST API both on users who have browse permission and no permissions for a single ticket will result in both users still being able to view the issue. See this documentation for reference - https://docs.atlassian.com/software/jira/docs/api/REST/9.4.7/#api/2-getAllPermissions
In comparison to the JAVA API it will return a false result if you put a user in the JAVA API command when attempting to view a ticket with a user who do not have the right permissions. See this documentation for reference - https://docs.atlassian.com/software/jira/docs/api/9.4.7/com/atlassian/jira/security/PermissionManager.html
This is reproducible on Data Center: (yes)
Steps to Reproduce
- Create two users, one with permissions to edit, view and browse one project, create one user who lacks these permissions
- Use this REST API for both users rest/api/2/user/viewissue/search change user for the right user name to view the same issue.
Expected Results
The user who lacks permission should not get a result
Actual Results
Both users are seeing the issues
...
Workaround
Use Java API instead.
- mentioned in
-
Page Loading...