Uploaded image for project: 'Jira Software Data Center'
  1. Jira Software Data Center
  2. JSWSERVER-24795

Advanced Roadmap allow editing of read-only fields

XMLWordPrintable

    • 11
    • We collect Jira feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      Hi support,

      I am using Advanced Roadmap and I have noticed a security problem.

      Advanced Roadmap overrides any controls that are set in JIRA. If you have a custom fields that are not editable in JIRA, with Advanced Roadmap is anyway possible!

      The security problem is that if you use a Security Level based on a user picker field, and this is editable by anyone with Advanced Roadmap it is possible to make visible issues that normally would not be visible on Jira or are proteced by some condition rules.

      Please, check and fix as soon as possible.

       

      BR
      Antonio

          Form Name

            [JSWSERVER-24795] Advanced Roadmap allow editing of read-only fields

            Selcuk Tayar added a comment -

            So is there no solution to this?? This is a severe security issue !!

            Selcuk Tayar added a comment - So is there no solution to this?? This is a severe security issue !!

            Tomer Muster added a comment -

            This is critical - When this happens on Bulk Edit, I can understand since only Admins should have access to that. However plans are for regular users and it should abide by Jira controls.

             

            Tomer Muster added a comment - This is critical - When this happens on Bulk Edit, I can understand since only Admins should have access to that. However plans are for regular users and it should abide by Jira controls.  

            Aakrity Tibrewal added a comment -

            Dear all,
            I would like to inform you that this issue in the project JPOSERVER is being migrated to the new project JSWSERVER. Your votes and comments will remain unchanged.
            Our team at Atlassian will continue to monitor this issue for further updates, so please feel free to share your thoughts or feedback in the comments.
            Sincerely,
            Aakrity Tibrewal
            Jira DC

            Aakrity Tibrewal added a comment - Dear all, I would like to inform you that this issue in the project JPOSERVER is being migrated to the new project JSWSERVER. Your votes and comments will remain unchanged. Our team at Atlassian will continue to monitor this issue for further updates, so please feel free to share your thoughts or feedback in the comments. Sincerely, Aakrity Tibrewal Jira DC

            Muhammad Moazzam Hassan added a comment -

            Facing the same issue, how the Jira Development Team can allow these silly features in Plans, you have to test all scenarios when developing. Please try to resolve it as soon as possible.

            Muhammad Moazzam Hassan added a comment - Facing the same issue, how the Jira Development Team can allow these silly features in Plans, you have to test all scenarios when developing. Please try to resolve it as soon as possible.

            Mick Flanigan added a comment -

            Yes, this is a critical issue! A couple items I have noticed working on this this week:

            1: It allows editing of fields that were meant to be read only 

            2: it allows the overwrite of custom calculated fields through 3rd party plugins, like JWME where nunjucks commands are setting field values, but anyone can come in the screen and overwrite the values set by plugin. 

             

            Advanced Roadmaps needs to be integrated to respect the create and edit screen behaviors in Jira underneath it. if a field is only on the View screen, it should not be editable in the Plan. 

            Mick Flanigan added a comment - Yes, this is a critical issue! A couple items I have noticed working on this this week: 1: It allows editing of fields that were meant to be read only  2: it allows the overwrite of custom calculated fields through 3rd party plugins, like JWME where nunjucks commands are setting field values, but anyone can come in the screen and overwrite the values set by plugin.    Advanced Roadmaps needs to be integrated to respect the create and edit screen behaviors in Jira underneath it. if a field is only on the View screen, it should not be editable in the Plan. 

            Omar Rashid added a comment -

            Noticed this as well. This needs to be fixed as this is potentially a huge issue, allowing users to override controls in Jira. Also, relates to https://jira.atlassian.com/browse/JPOSERVER-2879

             

            Omar Rashid added a comment - Noticed this as well. This needs to be fixed as this is potentially a huge issue, allowing users to override controls in Jira. Also, relates to https://jira.atlassian.com/browse/JPOSERVER-2879  

              Unassigned Unassigned
              1c077bceb6c9 Antonio Bosio
              Votes:
              58 Vote for this issue
              Watchers:
              34 Start watching this issue

                Created:
                Updated: