The Assignee user picker doesn’t honor the “Assignable User” projects permission and allows browsing all users from the Jira instance

Issue Summary

The Assignee user picker on the Advanced Roadmaps for Jira Plan can browse all users from the Jira instance disregarding of permissions defined on the Project level (“Assignable User” projects permission). The actual permissions check will be triggered during an attempt to commit applied changes.

Although, you will not be able to assign an issue on the Plan view unless the user has required project permissions (action will not complete successfully and an appropriate message will be returned during commit), still current behavior should be considered a security concern since user picker shows all users (with their emails). For customers who have high levels of confidentiality/security standards are working with external parties, current behavior introduces a privacy/GDPR breach since personal data is unexpectedly exposed to other users.

This is reproducible on Data Center: (yes)

Steps to Reproduce

1. Adjust your “Assignable User” project permission and limit it to certain users or groups.
2. Try to change the assignee from the Jira issue view page — the list of the assignees will be limited based on “Assignable User” permission.
3. Create a new Advanced Roadmaps Plan and configure it to have issues only from your project. The issue could be replicated with multi-project issue sources, just having a single project issue illustrates this problem better.
4. On the Plan view add the Assignee field and try to specify the assignee user. The Advanced Roadmaps will send requests to /rest/teams/1.0/persons/find endpoint without any parameters. This will return all (response is paginated but you could filter users with the help of additional input) users available on the current Jira instance and returned list will not be limited based on “Assignable User” permission.
5. (optional) Try to commit changes using a user account that doesn't have “Assignable User” permission. The operation will not complete and an appropriate message will be returned that you will need to check the permissions.

Expected Results

Based on the business, customer can configure their Jira instances to distinguish different information to be available only for certain users based on the security requirements (the “Assignable User” permission is one of these instruments). The Advanced Roadmaps assignee picker should honor this project permission and be aligned with the same functionality at the Jira issue view.

Actual Results

Current behavior allows basically anyone with access to Advanced Roadmaps plans to browse all users from the Jira instance and view their usernames and emails. This should be considered as security concern because it is undesired disclosure of sensitive details.

Workaround

Currently, there is no known workaround for this behavior. A workaround will be added here when available