The "Epic Link" field on screens (e.g. during issue creation or editing) shows all Epics in projects for which the user has the "Browse Projects" permission. However, in order to actually create the link the user needs the "Edit Issues" permission for both the Epic and the issue being created/edited (note: not the "Link Issues" permission). If the user attempts to create/edit an issue and link to an Epic that the user does not have permission to link to (i.e. in another project with different permissions), no error or warning is given on saving the changes and the resulting Epic Link field is left blank.
STEPS TO REPRODUCE
- Create two projects PROJA and PROJB.
- Create an epic in PROJA.
- Create a user and grant them only the "Browse Projects" permission for PROJA, and all permissions for PROJB.
- Log in as the above user.
- Create an issue in PROJB and use the "Epic Link" field to find the epic created in PROJA.
- Having created the issue, verify that no warning/error was given to say that the user doesn't have permission to link to the selected epic, and that the Epic Link field has been left empty.
We have a large number of teams working on a single JIRA instance across multiple projects. For reasons I won't go into (but can if need be), it is common for work in one project to be linked to an Epic in another. We also want to allow everyone to be able to "view" what is going on across the business in all projects, but want to control who can link to Epics in specific projects. Hence, all users are granted the "Browse Projects" permission, but further permissions are granted on a project by project basis, and users are only able to link to a small fraction of the projects which they can view.
The problems this bug causes with this use case are:
- A large number of Epics (several hundred in our case) are made available to a user even though they can't link to them in reality. Some other recent changes have made finding Epics easier, but it is still frustrating to have so many irrelevant Epics in the field.
- If a mistake is made (very easy when many projects have similarly named Epics) and an unlinkable Epic is selected, the lack of warning/error means that this can go unnoticed by users, and can be much harder to rectify in hindsight.
My preferred solution would be for the Epic Link field to only show Epics which the user can link to. If there is a reason I can't foresee for wanting to have unlinkable Epics in the screen, then at least providing a warning or preferably an error when the link is attempted would also be helpful, but would in the end only serve to highlight the underlying problem with the Epics shown in the Epic Link field.