Granting Browse Project permission to 'Current Assignee', 'Reporter' or 'User Custom Field Value' allows all users to view Project information

Related content

  • No related content found

Still need help?

The Atlassian Community is here for you.

Ask the community

Symptoms

Granting the "Browse Project" permission to any of the following entities in a project's permission scheme allows all users to view project information, such as the project name, project key, and so on. 

  • Reporter
  • Single user
  • Current assignee
  • User custom field value
  • Group custom field value

Cause

Permissions for all of these entities are granted on the issue level, and not the project level. When you create the first issue in your project, it will be restricted to the entity you've chosen (e.g. current assignee), but the whole project will be visible to anybody, as there are no project-level permissions that would restrict it (for example, role Administrators). If you’re looking to hide the project, you need to assign the ‘Browse project’ permission to a role or a group, and then use issue security levels to further restrict particular issues.

Here are some bugs related to this issue:

How to restrict issues (and the project itself) to desired roles and groups:

  1. Start by hiding the whole project. You can do this by setting the "Browse Project" permission to one of the following entities. Permissions for these entities are granted on the project level, and will work before you even create the first issue.

    • Project role
    • Application access
    • Group

  2. Once you've hidden the project information, you can further restrict issues to all original entities mentioned in "Symptoms" by using issue security schemes and security levels. For more info, see Configuring issue-level security.

Alternative method

To work around this issue with Assignee and Reporter, you may enable the optional "Assignee (show only projects with assignable permission)" security type. This security type allows you to restrict project browsing to "assignable" users (i.e. users which can have issues assigned to them) in a project permission scheme. You can use this security type instead of "Current Assignee" in your project permission schemes. 

More information regarding the Reporter on Current Reporter Browse Project Permission

To do this:

  1. Edit the WEB-INF/classes/permission-types.xml file.

  2. Find the following code and uncomment all code in the <type> tag:

         <!--  Uncomment & use this permission to show only projects where the user has the assignable permission and issues within that where they are the assignee -->
     <!--  This permission type should only ever be assigned to the "Browse Projects" permission. -->
     <!--  Other permissions can use the "reporter" or "create" permission type as appropriate. -->
     <!--
     <type id="assigneeassignable" enterprise="true">
         <class>com.atlassian.jira.security.type.CurrentAssigneeHasAssignablePermission</class>
     </type>
     -->
  3. Restart Jira.
  4. Configure the permission scheme for the project, remove the "Browse Project" permission from "Current Assignee", and assign the "Browse Project" permission to "Assignee (show only projects with assignable permission)".



Last modified on May 4, 2021

Was this helpful?

Yes
No
Provide feedback about this article

Related content

  • No related content found
Powered by Confluence and Scroll Viewport.