Improve filter behaviour: auto-complete should not give away field values

Type atlassian
Reporter andreas.vanrienen
Modified 2018-02-08T06:57:13


{panel:bgColor=#e7f4fa} NOTE: This suggestion is for JIRA Server. Using JIRA Cloud? [See the corresponding suggestion|]. {panel}

h4. Context When using JQL with auto-complete switched on, searching for fields will always list global values. For instance, when using the IN operator in JQL, auto-complete will "give away" values for the majority of fields. Given that for each individual project there are schemes restricting or limiting the available fields, only context-specific values should be accessible for the user. The current behaviour seems to be potentially problematic with regard to usability or security concerns.

h4. Objective As a user, I want the auto-complete function to only present field values relevant for my context.

With "my context" meaning:

Projects, I have permission to browse; or

Values for fields that are configured/enabled via a scheme configuration for that project.

In other words: the behaviour and underlying logic of JIRA's JQL search capabilities should respect project configuration and permissions to not reveal global field values.

h4. Steps to reproduce

Create a user that has access only to one particular project.

Configure the project in the following way:

A basic workflow (eg. only with three statuses TODO, DOING, DONE).

No Custom Fields used on any screen or any scheme;

In JIRA, browse to "Search for issues" in Advanced mode and try the following:

status IN (

-> Auto-complete will display a preview of all existing statuses (in addition to our three).

project IN ("My Project") AND

-> A preview of globally existing custom fields will be displayed.

Other fields which are affected by the described behaviour as well are: Issue Type Status Assignee Resolution Component FixVersion * Custom Fields

h4. Footnote * The search for projects does respect the configuration. As a user, auto-complete only displays a list of projects I am authorised to browse: {code} project IN ( {code}