Adding "JIRA Project Releases" event type to the Team calendar seems to NOT respect permissions from the project. It means even people that have no access to some project will see the release dates from the forbidden project.
Expected behavior: *Users should see only "JIRA Project Releases" from projects to which they have access.*
I was surprised a lot that it doesn't work this way and I consider it big issue with security.
{"id": "ATLASSIAN:CONF-48963", "vendorId": null, "type": "atlassian", "bulletinFamily": "software", "title": "\"JIRA Project Releases\" event should respect Project's permissions", "description": "Adding \"JIRA Project Releases\" event type to the Team calendar seems to NOT respect permissions from the project. It means even people that have no access to some project will see the release dates from the forbidden project.\r\n\r\nExpected behavior: *Users should see only \"JIRA Project Releases\" from projects to which they have access.*\r\n\r\nI was surprised a lot that it doesn't work this way and I consider it big issue with security.", "published": "2015-06-08T11:04:40", "modified": "2017-03-01T01:21:56", "cvss": {"vector": "NONE", "score": 0.0}, "cvss2": {}, "cvss3": {}, "href": "https://jira.atlassian.com/browse/CONF-48963", "reporter": "nikola.bornova2", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2021-06-08T18:52:09", "viewCount": 2, "enchantments": {"dependencies": {}, "score": {"value": 1.0, "vector": "NONE"}, "backreferences": {}, "exploitation": null, "vulnersScore": 1.0}, "affectedSoftware": [{"name": "confluence", "operator": "le", "version": "No Version"}], "_state": {"dependencies": 1645229748}}
"JIRA Project Releases" event should respect Project's permissions