Uploaded image for project: 'Jira Software Cloud'
  1. Jira Software Cloud
  2. JSWCLOUD-13986

Epic Link field allows selection of unlinkable Epics without warning/error

    XMLWordPrintable

Details

    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

    Description

      OVERVIEW

      The "Epic Link" field on screens (e.g. during issue creation or editing) shows all Epics in projects for which the user has the "Browse Projects" permission. However, in order to actually create the link the user needs the "Edit Issues" permission for both the Epic and the issue being created/edited (note: not the "Link Issues" permission). If the user attempts to create/edit an issue and link to an Epic that the user does not have permission to link to (i.e. in another project with different permissions), no error or warning is given on saving the changes and the resulting Epic Link field is left blank.

      STEPS TO REPRODUCE

      1. Create two projects PROJA and PROJB.
      2. Create an epic in PROJA.
      3. Create a user and grant them only the "Browse Projects" permission for PROJA, and all permissions for PROJB.
      4. Log in as the above user.
      5. Create an issue in PROJB and use the "Epic Link" field to find the epic created in PROJA.
      6. Having created the issue, verify that no warning/error was given to say that the user doesn't have permission to link to the selected epic, and that the Epic Link field has been left empty.

      USE CASE

      We have a large number of teams working on a single JIRA instance across multiple projects. For reasons I won't go into (but can if need be), it is common for work in one project to be linked to an Epic in another. We also want to allow everyone to be able to "view" what is going on across the business in all projects, but want to control who can link to Epics in specific projects. Hence, all users are granted the "Browse Projects" permission, but further permissions are granted on a project by project basis, and users are only able to link to a small fraction of the projects which they can view.

      The problems this bug causes with this use case are:

      1. A large number of Epics (several hundred in our case) are made available to a user even though they can't link to them in reality.
      2. If a mistake is made (very easy when many projects have similarly named Epics) and an unlinkable Epic is selected, the lack of warning/error means that this can go unnoticed by users, and can be much harder to rectify in hindsight.
      3. The large number of redundant Epics makes the field slow to populate.

      SUGGESTED FIX

      The Epic Link field should only show Epics which the user can link to.

      AFFECTS VERSION:
      1000.141.1 - CLOUD
      7.3.1 - SERVER

      Attachments

        Activity

          People

            Unassigned Unassigned
            paul.thomas1 Paul Thomas
            Votes:
            10 Vote for this issue
            Watchers:
            9 Start watching this issue

            Dates

              Created:
              Updated: