Changes to user suggestions in Jira 8.19.1 and later might result in suggesting users that aren’t eligible
In Jira 8.19.1 and later, we’ve changed how user suggestions work when you mention someone or assign them to an issue. This change improves performance, but in some cases you’ll see suggestions of users that aren’t eligible (for example, don’t have permission to view the project).
This article is related to the following issues:
Until Jira 8.19.1, when suggesting users to be selected, we’ve checked their permissions as you typed to make sure we suggest only relevant users. These checks included regular permissions, but also other dependencies, such as extra checks used in workflow permissions or issue security levels. Thanks to this, the suggestions always included the right users.
Such detailed checks affected performance and often resulted in timeouts on large Jira instances. That’s because even a single mention meant checking all existing users, their permissions and dependencies, and generated a large number of database queries.
From Jira 8.19.1, we match suggested users only against permissions specified in your permission scheme, and only check additional dependencies when you actually select a user. In some cases, described below as Limitations, this results in suggesting users that aren’t eligible. Note that this change only affects retrieving the list of users, we’ve kept all the relevant validations in place when you try to select the ineligible user.
We’ve identified three cases where you might see ineligible users as suggestions, and provided explanations of what exactly happens when you try to select them.
1. Issue security level
Setting issue security level allows you to control which users or groups can view an issue. You can read more about it here.
From Jira 8.19.1, the users that aren’t allowed to see a project or issue will be shown in the list of suggestions, and you’ll even be able to select them. These users, however, won’t get any notifications and won’t be able to view the project or issue.
2. Workflow permissions
Workflows allow you to change assignees when transitioning issues to a different status.
If your workflows are configured in this way, the list of suggested assignees might show ineligible users. However, you won’t be able to select them as we’ll check additional permissions on selection.
3. Plugins: ProjectPermissionOverrides
ProjectPermissionOverrides allows plugins to override any passed permission checks. The only usage we’ve identified is the Jira Service Management’s ServiceDeskCollaboratorPermissionOverride.java for assignees.
In projects that rely on ProjectPermissionOverrides, the list of suggested assignees might contain ineligible users. However, you won’t be able to select them as we’ll check additional permissions on selection.
Working around the limitations
These limitations might be inconvenient, but they don’t affect the security of your projects and issues. We’ve concluded that significant performance improvements provide much more benefit, especially in large Jira instances.
You can still work around them by updating your permission schemes. All permissions specified in the scheme will be respected in user suggestions.