Granting Browse Project permission to 'Current Assignee', 'Reporter' or 'User Custom Field Value' allows all users to view Project information

Still need help?

The Atlassian Community is here for you.

Ask the community

Symptoms

Granting "Browse Project" permission to "Current Assignee" in a project's permission scheme allows all users to view project information, such as the project name, project key, etc.

Cause

This is caused by bugs:

How to restrict issues to only desired roles and groups:

If a Project is only relevant to a 'Group A':

  1. Add the 'Group A' to the Role(Users) and remove unrelated groups that shouldn't see the project.
  2. Set Create and Browse permissions for Role(Users) instead of 'Current Assignee' or 'Reporter'

  3. Use Issue level security to restrict viewing to Reporter or Assignee.

Result: only users in 'Group A' see the project and Browse only it's own Reported issues or Assigned issues

Step by step instructions to set Security Level at How to limit user to only browse issues assigned to or reported by them

Alternative Method:

To work around this issue with Assignee and Reporter, you may enable the optional "Assignee (show only projects with assignable permission)" security type. This security type allows you to restrict project browsing to "assignable" users (i.e. users which can have issues assigned to them) in a project permission scheme. You can use this security type instead of "Current Assignee" in your project permission schemes. 

More information regarding the Reporter on Current Reporter Browse Project Permission

To do this:

  1. Edit the WEB-INF/classes/permission-types.xml file.
  2. Find the following code and uncomment all code in the <type> tag:

         <!--  Uncomment & use this permission to show only projects where the user has the assignable permission and issues within that where they are the assignee -->
         <!--  This permission type should only ever be assigned to the "Browse Projects" permission. -->
         <!--  Other permissions can use the "reporter" or "create" permission type as appropriate. -->
         <!--
         <type id="assigneeassignable" enterprise="true">
             <class>com.atlassian.jira.security.type.CurrentAssigneeHasAssignablePermission</class>
         </type>
         -->
  3. Restart JIRA.
  4. Configure the permission scheme for the project, remove the "Browse Project" permission from "Current Assignee", and assign the "Browse Project" permission to "Assignee (show only projects with assignable permission)".

 

 

 

Last modified on Jan 10, 2017

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.