User without schedule issues permission is able to change sprint of an issue via edit issue REST endpoint

Current behaviour

Using the full issue details web interface, if a user does not have the schedule issues permission, they are not able to move issues between sprints. They are not able to edit the sprint field from the issue details screen or from anywhere else. This is the expected behaviour.

However, if I hit the REST endpoint authenticated as a user without the schedule issues permission for get issue (GET api/2/issue/{issueId}?expand=editmeta), the sprint field comes down with the edit meta indicating that it is editable. On top of that, changing the sprint of an issue by editing the issue using the update issue endpoint (PUT api/2/issue/{issueId}) returns successfully and changes the sprint when it shouldn't.

Expected behaviour

The expected behaviour is that the sprint field does not come as part of the edit meta of an issue if the user doesn't have this permission, and also updating the sprint using the update issue rest endpoint should fail if the user doesn't have this permission.

This will make the official native Android and iOS apps, and the new issue view (as well as any other service that hits these endpoints) behave the same as the full view issue web interface.

Impact

This impacts Jira Mobile (both iOS and Android native apps) as well as the new issue view from backlog/ boards, as well as any other service that uses the REST endpoints.