h3. Issue Summary
If within a project the ‘Browse Project Archive’ and ‘Browse Project’ permissions are granted to ‘Group Custom Field’ or to the ‘Reporter’ option within the permission scheme, the project will become available to search for any user with the ‘Browse Project Archive’ permission in any project within {}Issues > Archive Issues{}. This allows the user to search for (but not view) issues in projects they do not have access to.
This is reproducible on Data Center: (yes)
h3. Steps to Reproduce
h3. Expected Results
If the user it not explicitly assigned the ‘Browse Project Archive’/‘Browse Projects’ or the Custom Field is not filled in to grant the user the ability to see the project archive for these issues, the results should not show these issues.
h3. Actual Results
The user is shown results in the result list for projects that they do not have the ‘Browse Project Archive’/‘Browse Projects’ permission for. Although they cannot view these issues if they try to open it, they can see the Summary in the result set.
Doing a standard issue search via Issues > Search for Issues does not show issues in the result set. But the Archive Search does.
h3. Workaround
The only workaround currently is not use the reporter or custom field option when setting the permissions for the Browse Project Archive/Browse Projects permissions.
CPE | Name | Operator | Version |
---|---|---|---|
jira data center | le | 8.13.22 | |
jira data center | le | 9.1.0 | |
jira data center | le | 8.20.11 |