-
Suggestion
-
Resolution: Unresolved
-
None
-
1
-
4
-
OVERVIEW
The "Epic Link" field on screens (e.g. during issue creation or editing) shows all Epics in projects for which the user has the "Browse Projects" permission. However, in order to actually create the link the user needs the "Edit Issues" permission for both the Epic and the issue being created/edited (note: not the "Link Issues" permission). If the user attempts to create/edit an issue and link to an Epic that the user does not have permission to link to (i.e. in another project with different permissions), no error or warning is given on saving the changes and the resulting Epic Link field is left blank.
STEPS TO REPRODUCE
- Create two projects PROJA and PROJB.
- Create an epic in PROJA.
- Create a user and grant them only the "Browse Projects" permission for PROJA, and all permissions for PROJB.
- Log in as the above user.
- Create an issue in PROJB and use the "Epic Link" field to find the epic created in PROJA.
- Having created the issue, verify that no warning/error was given to say that the user doesn't have permission to link to the selected epic, and that the Epic Link field has been left empty.
USE CASE
We have a large number of teams working on a single JIRA instance across multiple projects. For reasons I won't go into (but can if need be), it is common for work in one project to be linked to an Epic in another. We also want to allow everyone to be able to "view" what is going on across the business in all projects, but want to control who can link to Epics in specific projects. Hence, all users are granted the "Browse Projects" permission, but further permissions are granted on a project by project basis, and users are only able to link to a small fraction of the projects which they can view.
The problems this bug causes with this use case are:
- A large number of Epics (several hundred in our case) are made available to a user even though they can't link to them in reality.
- If a mistake is made (very easy when many projects have similarly named Epics) and an unlinkable Epic is selected, the lack of warning/error means that this can go unnoticed by users, and can be much harder to rectify in hindsight.
- The large number of redundant Epics makes the field slow to populate.
SUGGESTED FIX
The Epic Link field should only show Epics which the user can link to.
AFFECTS VERSION:
1000.141.1 - CLOUD
7.3.1 - SERVER
- mentioned in
-
Page Failed to load
[JSWCLOUD-13986] Epic Link field allows selection of unlinkable Epics without warning/error
This issue strongly relates to the "mistakenly" closed one JSW-10752. The problem is that in many cases the Epic issue EDIT permission is not available for the current user who is actual developer and does the breakdown of business requirement (Epic main meaning) into set of development items for implementation. It is not expected/allowed to change the business requirements on the development breakdown level.
Terrible UI practice to not show an error if this is intended behavior. Instead the user only realizes the Epic Link didn't stick until they navigate back to the Issue.