-
Bug
-
Resolution: Not a bug
-
Low
-
None
-
4.13.0, 4.20.13
-
3
-
Severity 2 - Major
-
Steps to Reproduce
- In JSD project A, set the customer permission as "Who can access the portal and send requests to <project key>?": "Customers my team adds to the project"
- Confirm that the project has no customers added
- Access the portal by a customer that has access to customer portal (customer that is added to another project B but not project A). The customer is not able to access the portal and receives the error: "You do not have permission to view this Portal."
- Add a request type in project A and some custom fields in that request type (these are considered sensitive data). The custom fields should be part of the "Create issue" screen.
- Edit the permission scheme to add one of these fields "Browse Project" permission in project A:
- Reporter
- Single user
- Current assignee
- User custom field value
- Group custom field value
- Access the portal by the same customer that has access to the customer portal (customer that is added to another project B but not project A).
Expected Results
Customer will only see project B.
Actual Results
The customer sees project B and can browse request types and see custom fields (Testers in my example) associated with project A (created in step 4 above).
P.S: The customer sees "You need permission to create a request through this service project." this time.
Workaround
Remove all these entries from the "Browse Project" permission:
- Reporter
- Single user
- Current assignee
- User custom field value
- Group custom field value
- is cloned from
-
-
- In Progress
-
- relates to
-
-
- Closed
-
- mentioned in
-
Page Loading...