Users without Bulk Change permission could still perform an update with shared link

XMLWordPrintable

    • Type: Bug
    • Resolution: Unresolved
    • Priority: Low
    • None
    • Affects Version/s: 9.12.29, 10.3.14, 11.2.1
    • Component/s: Issue - Actions
    • None
    • 9.12
    • 1
    • Severity 3 - Minor

      Issue Summary

      A user with project-level edit but no global bulk change permission can open a shared bulk change link and use the wizard fully—selecting issues, toggling options, editing fields, and reaching the final confirmation. The system blocks the action and shows "Oops, you've found a dead link." only after clicking "Confirm".

      Though the bulk change button was hidden initially, permission checks happen only at the last step.

      Steps to Reproduce

      1. Create a user having No Bulk change permission at Global permission level
      2. Login with Admin user who has bulk change permission, search few issues and attempt to perform bulk change to select the list if issues.i.e very first page.
      3. Copy the link and share it with the user created in step1 and have it executed in browser in another tab.

      Expected Results

      if an admins shares a bulkedit operation link with a user not having required privileges, the operation should be blocked in the initial stage itself

      Actual Results

      The operation is not blocked at initial step to select the list of issues and allowed to proceed until Confirm/final step.

      2025-12-04 07:52:07,538+0000 http-nio-8080-exec-5 url: /jira/internal-error ERROR      [c.a.j.web.servlet.InternalServerErrorServlet] {errorId=b54d3f69-97ca-4ce4-82be-339aeb8a15f1, interpretedMsg=, cause=java.lang.NullPointerException: Cannot invoke "com.atlassian.jira.issue.search.SearchRequest.getQuery()" because the return value of "com.atlassian.jira.web.action.issue.bulkedit.BulkEdit1.getSearchRequest()" is null, stacktrace=java.lang.NullPointerException: Cannot invoke "com.atlassian.jira.issue.search.SearchRequest.getQuery()" because the return value of "com.atlassian.jira.web.action.issue.bulkedit.BulkEdit1.getSearchRequest()" is null     at com.atlassian.jira.web.action.issue.bulkedit.BulkEdit1.lambda$getQuery$1(BulkEdit1.java:283) [classes/:?]     at java.base/java.util.Optional.orElseGet(Optional.java:364) [?:?]     at com.atlassian.jira.web.action.issue.bulkedit.BulkEdit1.getQuery(BulkEdit1.java:283) [classes/:?]     at com.atlassian.jira.web.action.issue.bulkedit.BulkEdit1.doDefault(BulkEdit1.java:71) [classes/:?]

      Workaround

      Currently there is no known workaround for this behavior. A workaround will be added here when available

            Assignee:
            Unassigned
            Reporter:
            Sandip Shrivastava
            Votes:
            2 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: