Issues do not appear on My Requests if Customer is an Agent who is denied access by the Issues' Security Level

Summary

If agenta is both an agent and a customer of an SD project (project key BSD)

 And BSD-2 has a security level whereby agenta is not allowed to view it as an agent (from JIRA) but is allowed to view it as a customer (from SD Portal)

  Then BSD-2 doesn't appear on the My requests page of agenta under certain conditions

Steps to reproduce

1 - Setting up User & Group & Application Access

1. Create group agent-a
2. Create user agenta and add him to group agent-a
3. Also give agenta application access to JIRA Service Desk:
   

2 - Setting up Project Roles & Issue Security Scheme

1. Create an Issue Security Scheme this way:
   
   • From JIRA:
     • agenta can view issues of Level A, but not Admin Level
     • An admin can view issues of either level
   • From Customer Portal, agenta should be able to view all issues he reports or is a participant in, regardless of security levels
2. Create an IT Service Desk project and associate it with the above Issue Security Scheme
3. Edit project roles and add agenta to Service Desk Team and Service Desk Customers roles, so that he will be both agent and customer:
   

3 - Reproducing the issue

1. As admin:
   • Add agenta as a participant in the sample issue that is created in the project, BSD-1 - this issue has no security level
   • Raise a new request on behalf of agenta, BSD-2
   • Edit BSD-2 and set security level to Admin Level
2. Observe these behaviors when logged in as agenta:
   • As an agent, agenta is able to view BSD-1 but not BSD-2 in JIRA, which is expected due to security levels 
   • From Customer Portal, agenta sees 1 in Requests / My requests, which is expected since he's the reporter of BSD-2 
   • However, no request shows up in the list of My requests, which is unexpected since BSD-2 should appear 
     
   • Switching to All requests, agenta sees BSD-1, which is expected since he's a participant 
   • Clicking BSD-1 then changing the URL to BSD-2, agenta is able to view BSD-2 
     

Workaround

1. As admin, do either of the followings:
   • Simply add/remove another user to/from another group that has nothing to do with the project or issue security scheme
   • Remove agenta from Service Desk Team role of the project then add him back to the role
2. As agenta, refresh the My requests page, and BSD-2 now shows up:
   
3. Since only affected users are customers who are agents at the same time, another workaround is to use Agent view, where they will be able to see these ticket. In this case, agent should be allowed access by appropriate security level.

The issue may happen again intermittently, in different ways. Please refer to the Notes section below for a consistent way to reproduce it.

Notes

The issue can be consistently reproduced this way, after being temporarily worked around by tweaking project roles and/or group memberships:

1. As agenta, log out
2. As admin, remove agenta from jira-servicedesk-users group, so that agenta loses application access
3. As admin, add agenta back to jira-servicedesk-users group, so that agenta regains application access
4. As agenta, log in JIRA, not Portal
5. As agenta, perform a search of project BSD in Issue Navigator so that only BSD-1 will be visible to him
6. As agenta, go to Customer Portal and observe that BSD-2 disappears again
7. And so on

 At step 4, if agenta logs in Portal, the issue can't be reproduced whereby BSD-2 will be visible as expected. This seems to indicate that, after agenta logs in JIRA as a new agent and searches for issues in the project, Lucene is repopulated in a way that it only takes BSD-1 into account. Then when agenta goes to Portal only BSD-1 will be there.

 Take note that agenta is still able to view BSD-2 by accessing its Portal URL directly.

Findings & Suggestions

• The request count and request search are expected to be in sync, but they're not. For some reason, the search result is incorrect, and it may have something to do with security levels.
• It's discovered that the request count does not use the same search that returns the search result. It performs search with security overridden which bypasses the issue security scheme.

 A possible solution is to make the request search use the same search as the request count.