Problem

The Rest API endpoints are unable to correctly check group memberships when there are multiple directories. This leads to situations where REST API endpoints, such as /rest/api/2/user/viewissue/search?username=<>&issueKey=<issueKey>, will report on users having the incorrect permission, but don't appear to be associated with a group with such permission when viewed through the Jira UI. This discrepancy causes confusion, as administrators are unable to discern where these permissions are being granted.

Environment

Reproduced in Jira 9.17.4, Jira 9.12.x, Jira 10.4.1

Steps to Reproduce

1. Create a user in the internal directory.
2. Associate this user with a group that has Browse Permission for a project.
3. Use the REST API endpoint rest/api/2/user/viewissue/search?username=<>&issueKey=<issueKey>. Observe that the user is listed as having browse permission for the project as expected.
4. Create the same user in an LDAP directory without associating any groups.
5. Add the LDAP directory to the Jira instance and reorder the directories so that the LDAP directory is on the top.
6. Notice that the user is no longer listed as part of the group from step 2 in the UI.
7. Use the REST API endpoint rest/api/2/user/viewissue/search?username=<>&issueKey=<issueKey>. Notice that the user is still listed as having browse permission, despite not being associated with any groups in the LDAP directory.

  The permission helper will show that the user does not have the browse permission, but when the rest/api/2/user/viewissue/search?username=<>&issueKey=<issueKey> is used, the user will be listed. (See Screenshot)

Expected Results

The user should not be listed as having browse permission when their directory association does not grant such permission.

Actual Results

The user is incorrectly listed as having browse permission due to lingering associations in the database (cwd_membership table), despite not being associated with any groups in the directory being used.

Workaround

1. Navigate to User Directories and reorder them so that the Jira Internal Directory, or the directory with the old group association, is at the top.
2. Go to the group in question and remove the user(s) from the group.
3. Reorder the user directories to the original configuration.

Notes

• The issue stems from outdated associations in the database that are not visible through the Jira UI.
• Use the following SQL query to confirm the user's group and directory associations:

SELECT 
    u.id AS "User Id", 
    a.user_key AS "App User Key", 
    u.lower_user_name AS "Lower Username", 
    u.active AS "User Status", 
    ud.id AS "User Directory Id", 
    ud.directory_position AS "User Directory Order", 
    ud.directory_name AS "User Directory Name", 
    ud.active AS "User Directory Status", 
    g.id AS "Group Id", 
    g.group_name AS "Group Name", 
    gd.id AS "Group Directory Id", 
    gd.directory_name AS "Group Directory Name", 
    gd.active AS "Group Directory Status"
FROM 
    cwd_user u
LEFT JOIN 
    app_user a ON a.lower_user_name = u.lower_user_name
JOIN 
    cwd_directory ud ON ud.id = u.directory_id
LEFT JOIN 
    cwd_membership m ON m.child_id = u.id
LEFT JOIN 
    cwd_group g ON g.id = m.parent_id
LEFT JOIN 
    cwd_directory gd ON gd.id = g.directory_id
WHERE 
    u.lower_user_name = '<USERNAME>'
ORDER BY 
    ud.directory_position ASC; 

• Ensure to replace <USERNAME> with the actual username being investigated.