"Browse Project" permission set to specific values overrides the customer permission that results in the project getting exposed in the customer portal

Steps to Reproduce

1. In JSD project A, set the customer permission as "Who can access the portal and send requests to <project key>?": "Customers my team adds to the project"
2. Confirm that the project has no customers added
3. Access the portal by a customer that has access to customer portal (customer that is added to another project B but not project A). The customer is not able to access the portal and receives the error: "You do not have permission to view this Portal."
4. Add a request type in project A and some custom fields in that request type (these are considered sensitive data). The custom fields should be part of the "Create issue" screen.
5. Edit the permission scheme to add one of these fields "Browse Project" permission in project A:

• Reporter
• Single user
• Current assignee
• User custom field value
• Group custom field value

1. Access the portal by the same customer that has access to the customer portal (customer that is added to another project B but not project A).

Expected Results

Customer will only see project B.

Actual Results

The customer sees project B and can browse request types and see custom fields (Testers in my example) associated with project A (created in step 4 above).



 

P.S: The customer sees "You need permission to create a request through this service project." this time.

Workaround

Remove all these entries from the "Browse Project" permission:

• Reporter
• Single user
• Current assignee
• User custom field value
• Group custom field value