Non-admin users are able to interact with the greyed-out Agile Board "Delete" button

XMLWordPrintable

    • Type: Bug
    • Resolution: Unresolved
    • Priority: Low
    • None
    • Affects Version/s: 9.12.15, 10.3.7, 10.7.1
    • Component/s: AgileBoard
    • 9.12
    • 1
    • Severity 3 - Minor

      Issue Summary

      Only a Jira administrator user or a Board admin is allowed to configure Jira software Boards including deleting a board. We do show the "Delete" board button as greyed out if the logged in user is not a Board admin or Jira admin user.

      However, a non-board/jira-admin user is able to click through the greyed out "Delete" button which eventually fails but should ideally not even show up or the user should not be allowed to click through the "Delete" button.

      Steps to Reproduce

      1. Create a Non-admin Jira user
      2. Create a Scrum board by a jira admin user
      3. Log in as the Non-admin Jira user and Navigate through Boards > Choose a specific Board > Board (dropdown on the top-right) > Configure > Board (top-right) > Click the greyed out Delete

      Expected Results

      As the logged in user is neither the Board admin nor a Jira admin user, the greyed out "Delete" button should not be clickable or not appear without the required permission in the first place

      Actual Results

      The logged-in non-admin user is able to click through the "Delete" button. Even though eventually the delete action fails with the error message: "only the owner of the board or an administrator can modify the configuration"

      Workaround

      • We can hide the "Delete" button for all users (including Jira admins) from the specific Board Configuration (ie., Boards > Choose a specific Board > Board (dropdown on the top-right) > Configure > Board (top-right)):
      <script>
    // Function to hide the "Delete" button
    function hideDeleteButton() {
        // Use a mutation observer to watch for changes in the DOM
        const observer = new MutationObserver(() => {
            // Target the "Delete" button using its class
            const deleteButton = document.querySelector('.js-view-action-delete');
            if (deleteButton) {
                // Hide the button
                deleteButton.style.display = 'none';
                // Once the button is hidden, stop observing
                observer.disconnect();
            }
        });

        // Start observing the document body for changes
        observer.observe(document.body, { childList: true, subtree: true });
    }

    // Call the function to hide the button
    hideDeleteButton();
</script>

      If applied, the above would hide the "Delete" button from the individual Boards > Configure > Board dropdown. However, a Jira admin can still delete a board from the Boards > View all boards > the three dots ... menu on the right side of each board.

      • A Jira admin will see the "Delete" button in the View all boards list
      • A Board admin (non-Jira admin) user will only see the "Delete" button on boards when the user is the Board admin

            Assignee:
            Unassigned
            Reporter:
            Suddha
            Votes:
            1 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: