"User Custom Field Value" permission type incorrectly exposes JIRA project names to everyone

2009-09-02T15:54:30
ID ATLASSIAN:JRASERVER-18812
Type atlassian
Reporter ximon.eighteen@gmail.com
Modified 2017-02-17T06:15:43

Description

Problem:

Project names are shown to users with no permission to see the project.

Impact:

Security hole!

Recipe:

(it helps to have two browsers open one logged in as admin the other as the user I will create called dummy)

  • Add user dummy
  • Add project blah
  • Add custom field myuser of type user picker, global context and shown on all screens
  • Remove all role assignments for project blah
  • Grant yourself permission to create and edit issues in project blah
  • Create issue BLAH-1
  • Login as user dummy and check you cannot see project BLAH in BROWSE PROJECT -> All Projects (or BROWSE PROJECTS) ({color:green}good{color})
  • As the admin user edit project blah permission scheme ** Grant Browse Project permission to User Custom Field Value (myuser)
  • Login as user dummy and notice that you can now see project BLAH in BROWSE PROJECT -> All Projects (or BROWSE PROJECTS) ({color:red}bad!{color}) but you cannot see issue BLAH-1 ({color:green}good{color})
  • As the admin user edit issue BLAH-1 and add user dummy to the myuser field
  • As the dummy user you should now be able to see issue BLAH-1 ({color:green}good{color})

The problem is that {{com.atlassian.jira.security.type.UserCF:hasProjectPermission()}} must return true for the user to see the issue even though {{com.atlassian.jira.security.type.UserCF:hasIssuePermission()}} exists to determine that. Making {{com.atlassian.jira.security.type.UserCF:hasProjectPermission()}} return false correctly stops the project appearing in the project list but also prevents the user viewing any issues.

I did a quick Google and checked for issues in this JIRA but couldn't find this bug.