Details
-
Bug
-
Resolution: Unresolved
-
Low
-
None
-
7.0.5, 7.3.0, 7.2.7, 7.9.2, 8.0.0, 7.13.0, 8.0.1
-
7
-
4
-
Severity 2 - Major
-
7
-
Description
Summary
The Resolve Issues project permission is defined as:
Ability to resolve and reopen issues. This includes the ability to set a fix version.
If this permission is revoked, a user will (correctly) not be allowed to edit the Affects Version/s and Fix Version/s fields from the Default View Issue screen, but will still be allowed to edit everything else (assuming they have Edit Issues permission).
However, if the view is changed to the Scrum Board's Backlog screen, the same user may drag the issue into a Version panel and the issue will be assigned that version, completely bypassing the Resolve Issues project permission
For a demonstration, see following mp4 screencapture: JSW-15528.mp4
Environment
Tested in JIRA Software 7.2.7 and JIRA Software 7.3.0
Steps to Reproduce
- Create a new Software Project with a Scrum Board
- Create a new version (i.e. "Test Version")
- Ensure that the current user has both Edit Issues and Resolve Issues permissions
- Ensure that the current user may set either the Affects Version/s or Fix Version/s field
- Revoke the current user's permission to Resolve Issues
Expected Results
- The user should lose the ability to edit the Version/s fields
- The user should not be able to drag the issue into the Version panel in the Backlog
Actual Results
- The user loses the ability to edit the Version/s fields
- The user can still drag the issue into the Version panel in the Backlog, bypassing the Resolve Issues permission
Attachments
Issue Links
- relates to
-
JSWSERVER-271 Insufficient permissions checks when scheduling an issue using the Planning Board
- Closed