Uploaded image for project: 'Jira Software Data Center'
  1. Jira Software Data Center
  2. JSWSERVER-20878

Cloning Story without Edit Permission on linked Epic causes workflow inconsistency on the Cloned issue

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Duplicate
    • Icon: Low Low
    • None
    • 8.13.1
    • Epics, Issue - Fields
    • None

      Problem

      Cloning Story without Edit Permission on Epic Link (Epic Issue) causes workflow inconsistency on the Cloned issue even though the entire clone operation should fail.

      Environment

      8.13.x

      Steps to Reproduce

      1. Add issue security level to restrict Epic issue types to Administrators project role:
      2. Restrict Edit Issue permissions to Administrators only (to allow the non-admin user to only be able to clone Stories)
      3. Add the Security level on the Epic Issue to restrict to only admin users:
      4. Verify test user "user1" doesn't have edit issue permission on the Story (ABCD-12) and is restricted on the Epic issue (ABCD-11) due to Issue Security scheme:
        and
      5. Try to Clone the Story (ABCD-12)
      • Error on UI: admin.errors.exception com.atlassian.jira.exception.CreateException: com.atlassian.jira.workflow.WorkflowException: You do not have permission to edit the following issues: ABCD-11, ABCD-14.
      • Error in atlassian-jira.log:
        2021-03-04 16:40:12,079+0000 JiraTaskExecutionThread-3 ERROR user1 1000x1006x1 d789vb 172.29.213.55 /secure/CloneIssueDetails.jspa [c.a.j.bc.issue.DefaultIssueService] com.atlassian.jira.workflow.WorkflowException: You do not have permission to edit the following issues: ABCD-11, ABCD-14.
        com.atlassian.jira.exception.CreateException: com.atlassian.jira.workflow.WorkflowException: You do not have permission to edit the following issues: ABCD-11, ABCD-14.
        	at com.atlassian.jira.issue.managers.DefaultIssueManager.createIssue(DefaultIssueManager.java:522)
        	at com.atlassian.jira.issue.managers.DefaultIssueManager.createIssueObject(DefaultIssueManager.java:616)
        	at com.atlassian.jira.issue.managers.RequestCachingIssueManager.createIssueObject(RequestCachingIssueManager.java:212)
        	at com.atlassian.jira.bc.issue.CloneIssueCommand.call(CloneIssueCommand.java:133)
        	at com.atlassian.jira.bc.issue.CloneIssueCommand.call(CloneIssueCommand.java:61)
        	at com.atlassian.jira.task.TaskManagerImpl$TaskCallableDecorator.call(TaskManagerImpl.java:533)
        	at com.atlassian.jira.task.TaskManagerImpl$TaskCallableDecorator.call(TaskManagerImpl.java:491)
        	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
        	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        	at com.atlassian.jira.task.ForkedThreadExecutor$ForkedRunnableDecorator.run(ForkedThreadExecutor.java:216)
        	at java.lang.Thread.run(Thread.java:748)
        Caused by: com.atlassian.jira.workflow.WorkflowException: You do not have permission to edit the following issues: ABCD-11, ABCD-14.
        	at com.atlassian.jira.workflow.OSWorkflowManager.createIssue(OSWorkflowManager.java:780)
        	at com.atlassian.jira.issue.managers.DefaultIssueManager.createIssue(DefaultIssueManager.java:513)
        	... 11 more
        Caused by: java.lang.RuntimeException: You do not have permission to edit the following issues: ABCD-11, ABCD-14.
        	at com.atlassian.greenhopper.customfield.epiclink.EpicLinkCFType.ensureEpicAssignment(EpicLinkCFType.java:728)
        	at com.atlassian.greenhopper.customfield.epiclink.EpicLinkCFType.createValue(EpicLinkCFType.java:56)
        	at com.atlassian.jira.issue.fields.ImmutableCustomField.createValue(ImmutableCustomField.java:693)
        	at com.atlassian.jira.workflow.function.issue.IssueCreateFunction.execute(IssueCreateFunction.java:84)
        	at com.opensymphony.workflow.AbstractWorkflow.executeFunction(AbstractWorkflow.java:1014)
        	at com.opensymphony.workflow.AbstractWorkflow.transitionWorkflow(AbstractWorkflow.java:1407)
        	at com.opensymphony.workflow.AbstractWorkflow.initialize(AbstractWorkflow.java:606)
        	at com.atlassian.jira.workflow.OSWorkflowManager.createIssue(OSWorkflowManager.java:754)
        	... 12 more
        

      Expected Results

      Since the user cloning the Story doesn't have appropriate edit permission on the Epic Link (Epic issue) the entire operation should fail.

      Alternatively, Jira should:

      • Throw clearer error message with something like e.g., "Failed to clone <EPIC LINK> due to insufficient permission on linked epic"
      • NOT create workflow inconsistency on the cloned issue

      Actual Results

      • The incorrectly-cloned-issue (ABCD-14) is still created and no workflow transitions available:
      • Error on UI: admin.errors.exception com.atlassian.jira.exception.CreateException: com.atlassian.jira.workflow.WorkflowException: You do not have permission to edit the following issues: ABCD-11, ABCD-14.
      • Error in atlassian-jira.log:
        2021-03-04 16:40:12,079+0000 JiraTaskExecutionThread-3 ERROR user1 1000x1006x1 d789vb 172.29.213.55 /secure/CloneIssueDetails.jspa [c.a.j.bc.issue.DefaultIssueService] com.atlassian.jira.workflow.WorkflowException: You do not have permission to edit the following issues: ABCD-11, ABCD-14.
        com.atlassian.jira.exception.CreateException: com.atlassian.jira.workflow.WorkflowException: You do not have permission to edit the following issues: ABCD-11, ABCD-14.
        	at com.atlassian.jira.issue.managers.DefaultIssueManager.createIssue(DefaultIssueManager.java:522)
        	at com.atlassian.jira.issue.managers.DefaultIssueManager.createIssueObject(DefaultIssueManager.java:616)
        	at com.atlassian.jira.issue.managers.RequestCachingIssueManager.createIssueObject(RequestCachingIssueManager.java:212)
        	at com.atlassian.jira.bc.issue.CloneIssueCommand.call(CloneIssueCommand.java:133)
        	at com.atlassian.jira.bc.issue.CloneIssueCommand.call(CloneIssueCommand.java:61)
        	at com.atlassian.jira.task.TaskManagerImpl$TaskCallableDecorator.call(TaskManagerImpl.java:533)
        	at com.atlassian.jira.task.TaskManagerImpl$TaskCallableDecorator.call(TaskManagerImpl.java:491)
        	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
        	at java.util.concurrent.FutureTask.run(FutureTask.java:266)
        	at com.atlassian.jira.task.ForkedThreadExecutor$ForkedRunnableDecorator.run(ForkedThreadExecutor.java:216)
        	at java.lang.Thread.run(Thread.java:748)
        Caused by: com.atlassian.jira.workflow.WorkflowException: You do not have permission to edit the following issues: ABCD-11, ABCD-14.
        	at com.atlassian.jira.workflow.OSWorkflowManager.createIssue(OSWorkflowManager.java:780)
        	at com.atlassian.jira.issue.managers.DefaultIssueManager.createIssue(DefaultIssueManager.java:513)
        	... 11 more
        Caused by: java.lang.RuntimeException: You do not have permission to edit the following issues: ABCD-11, ABCD-14.
        	at com.atlassian.greenhopper.customfield.epiclink.EpicLinkCFType.ensureEpicAssignment(EpicLinkCFType.java:728)
        	at com.atlassian.greenhopper.customfield.epiclink.EpicLinkCFType.createValue(EpicLinkCFType.java:56)
        	at com.atlassian.jira.issue.fields.ImmutableCustomField.createValue(ImmutableCustomField.java:693)
        	at com.atlassian.jira.workflow.function.issue.IssueCreateFunction.execute(IssueCreateFunction.java:84)
        	at com.opensymphony.workflow.AbstractWorkflow.executeFunction(AbstractWorkflow.java:1014)
        	at com.opensymphony.workflow.AbstractWorkflow.transitionWorkflow(AbstractWorkflow.java:1407)
        	at com.opensymphony.workflow.AbstractWorkflow.initialize(AbstractWorkflow.java:606)
        	at com.atlassian.jira.workflow.OSWorkflowManager.createIssue(OSWorkflowManager.java:754)
        	... 12 more
        

      Workaround

      Without changing the permissions:

      • Through DB:
        • Identify cloned issue's workflow integrity:
          SELECT jiraissue.id issue_id,
                 jiraissue.workflow_id, 
                 os_wfentry.* 
          FROM   jiraissue
          JOIN   os_wfentry
          ON     jiraissue.workflow_id = os_wfentry.id
          WHERE  os_wfentry.state IS NULL 
          OR     os_wfentry.state = 0
          AND jiraissue.id = <CLONED_ISSUE_ID>;
        • UPDATE if state is 0 with:
          UPDATE os_wfentry SET state = 1 WHERE id = <CLONED_ISSUE_ID>;

          OR

      • DB Integrity checker for workflow intergrity and Fix all the errors
        OR
      • Change the issue type of the Clone issue to something else and then change it back to previous issuetype (only works if multiple issue types share the same workflow)
        OR
      • Move the issue to a different Project and move it back to previously intended project

      Change Permissions:

      • Allow the users with "Edit issue" permission
        OR
      • Remove "Create issue" permission for the group of users who shouldn't clone Stories

      Notes

        1. 2021-03-04_22-03-07.png
          2021-03-04_22-03-07.png
          104 kB
        2. 2021-03-04_22-15-23.png
          2021-03-04_22-15-23.png
          70 kB
        3. 2021-03-04_22-17-29.png
          2021-03-04_22-17-29.png
          11 kB
        4. 2021-03-04_22-18-19.png
          2021-03-04_22-18-19.png
          39 kB
        5. 2021-03-04_22-21-27.png
          2021-03-04_22-21-27.png
          92 kB
        6. 2021-03-04_22-24-30.png
          2021-03-04_22-24-30.png
          381 kB
        7. 2021-03-04_22-28-38.png
          2021-03-04_22-28-38.png
          110 kB

            Unassigned Unassigned
            smitra2@atlassian.com Suddha
            Votes:
            6 Vote for this issue
            Watchers:
            9 Start watching this issue

              Created:
              Updated:
              Resolved: