Uploaded image for project: 'Jira Cloud'
  1. Jira Cloud
  2. JSWCLOUD-16954

User without schedule issues permission is able to change sprint of an issue via edit issue REST endpoint

XMLWordPrintable

      Current behaviour

      Using the full issue details web interface, if a user does not have the schedule issues permission, they are not able to move issues between sprints. They are not able to edit the sprint field from the issue details screen or from anywhere else. This is the expected behaviour.

      However, if I hit the REST endpoint authenticated as a user without the schedule issues permission for get issue (GET api/2/issue/{issueId}?expand=editmeta), the sprint field comes down with the edit meta indicating that it is editable. On top of that, changing the sprint of an issue by editing the issue using the update issue endpoint (PUT api/2/issue/{issueId}) returns successfully and changes the sprint when it shouldn't.

      Expected behaviour

      The expected behaviour is that the sprint field does not come as part of the edit meta of an issue if the user doesn't have this permission, and also updating the sprint using the update issue rest endpoint should fail if the user doesn't have this permission.

      This will make the official native Android and iOS apps, and the new issue view (as well as any other service that hits these endpoints) behave the same as the full view issue web interface.

      Impact

      This impacts Jira Mobile (both iOS and Android native apps) as well as the new issue view from backlog/ boards, as well as any other service that uses the REST endpoints.

            [JSWCLOUD-16954] User without schedule issues permission is able to change sprint of an issue via edit issue REST endpoint

            sguio added a comment -

            Rolled out 100% 13th Sep.

            sguio added a comment - Rolled out 100% 13th Sep.

            Adrian Ludwig (Inactive) added a comment -

            Checking in since this (and TOTEM-386) haven't been updated in a few days and this issue is being flagged as a violation of our Vulnerability SLA.  What's the current status?

            Adrian Ludwig (Inactive) added a comment - Checking in since this (and TOTEM-386) haven't been updated in a few days and this issue is being flagged as a violation of our Vulnerability SLA.  What's the current status?

            Henry Katz added a comment -

            Requesting a higher prioritization of this issue. As this should be considered a process security failure.

            We had multiple cases of users/devs modifying sprint assignment without Sprint Leaders knowing that has happened. 

            Please also note that it breaks with Default Permission Scheme

            Henry Katz added a comment - Requesting a higher prioritization of this issue. As this should be considered a process security failure. We had multiple cases of users/devs modifying sprint assignment without Sprint Leaders knowing that has happened.  Please also note that it breaks with Default Permission Scheme

              nso@atlassian.com Nara So
              jcarolan Josh Carolan
              Affected customers:
              0 This affects my team
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: