-
Type:
Bug
-
Resolution: Unresolved
-
Priority:
Low
-
None
-
Affects Version/s: 9.12.15, 10.3.4, 10.4.0
-
Component/s: Project Administration - Permissions
-
9.12
-
1
-
Severity 3 - Minor
Issue Summary
If you have a permission scheme and use User Custom Field Value for permissions, such as assignable user, this allows users that have no application access, role, or any proper project permissions to be assigned to issues.
This can be seen in other permissions where user custom fields can cause permissions to be bypassed, due to the allowing any user.
Steps to Reproduce
- Create a user picker custom field and add it to the project.
- Set the project permissions to allow use the custom field for the assignable issues permissions.
- Create an issue in the project, and set the user picker custom field to an unlicensed user.
- The unlicensed user can then be chosen as the assigned user for the issue.
Expected Results
Users without application access should not appear in user picker fields, preventing from the assigned issues.
Actual Results
Users can be assigned issues.
Workaround
Currently there is no known workaround for this behaviour. A workaround will be added here when available.
- mentioned in
-
Page Loading...