"User Custom Field Value" permission type incorrectly exposes JIRA project names to everyone

Type atlassian
Reporter ximon.eighteen@gmail.com
Modified 2017-02-17T06:15:43



Project names are shown to users with no permission to see the project.


Security hole!


(it helps to have two browsers open one logged in as admin the other as the user I will create called dummy)

  • Add user dummy
  • Add project blah
  • Add custom field myuser of type user picker, global context and shown on all screens
  • Remove all role assignments for project blah
  • Grant yourself permission to create and edit issues in project blah
  • Create issue BLAH-1
  • Login as user dummy and check you cannot see project BLAH in BROWSE PROJECT -> All Projects (or BROWSE PROJECTS) ({color:green}good{color})
  • As the admin user edit project blah permission scheme ** Grant Browse Project permission to User Custom Field Value (myuser)
  • Login as user dummy and notice that you can now see project BLAH in BROWSE PROJECT -> All Projects (or BROWSE PROJECTS) ({color:red}bad!{color}) but you cannot see issue BLAH-1 ({color:green}good{color})
  • As the admin user edit issue BLAH-1 and add user dummy to the myuser field
  • As the dummy user you should now be able to see issue BLAH-1 ({color:green}good{color})

The problem is that {{com.atlassian.jira.security.type.UserCF:hasProjectPermission()}} must return true for the user to see the issue even though {{com.atlassian.jira.security.type.UserCF:hasIssuePermission()}} exists to determine that. Making {{com.atlassian.jira.security.type.UserCF:hasProjectPermission()}} return false correctly stops the project appearing in the project list but also prevents the user viewing any issues.

I did a quick Google and checked for issues in this JIRA but couldn't find this bug.