Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
atlassian258c4c29f852JRASERVER-74235
HistoryAug 25, 2022 - 5:48 p.m.

Granting the 'Browse Project Archive' permission to a 'Custom Field' within a permission scheme allows all users to see archived issues in result set

2022-08-2517:48:28
258c4c29f852
jira.atlassian.com
14
JSON

h3. Issue Summary

If within a project the ‘Browse Project Archive’ and ‘Browse Project’ permissions are granted to ‘Group Custom Field’ or to the ‘Reporter’ option within the permission scheme, the project will become available to search for any user with the ‘Browse Project Archive’ permission in any project within {}Issues > Archive Issues{}. This allows the user to search for (but not view) issues in projects they do not have access to.

This is reproducible on Data Center: (yes)
h3. Steps to Reproduce

Create two projects (Project A and Project B) and a limited access user (user 1).

Grant user 1 the Browse Project Archive and Browse Projects permissions for Project A only.

Ensure user 1 has no rights to project B explicitly.

Archive an issue from Project A and Project B.

As user 1 attempt to search Archived Issues via Issues > Archived Issues (perform an empty search and notice you should only see the archived issues from Project A).

For Project B, grant the ‘Browse Project Archive’ and ‘Browse Projects’ permissions to a ‘Group Custom Field Value’.

Do not populate the custom field selected for the permission for issues in Project B.

As user 1, attempt to search for archived issues again via Issues > Archived Issues (notice this time you see Project A and Project B archived issues in the results list even though you do not have any rights to Project B).

h3. Expected Results

If the user it not explicitly assigned the ‘Browse Project Archive’/‘Browse Projects’ or the Custom Field is not filled in to grant the user the ability to see the project archive for these issues, the results should not show these issues.  
h3. Actual Results

The user is shown results in the result list for projects that they do not have the ‘Browse Project Archive’/‘Browse Projects’ permission for. Although they cannot view these issues if they try to open it, they can see the Summary in the result set.

Doing a standard issue search via Issues > Search for Issues does not show issues in the result set.  But the Archive Search does.  
h3. Workaround

The only workaround currently is not use the reporter or custom field option when setting the permissions for the Browse Project Archive/Browse Projects permissions.

Affected configurations

Vulners
Node
atlassianjira_data_centerRange8.13.22
OR
atlassianjira_data_centerRange9.1.0
OR
atlassianjira_data_centerRange8.20.11
JSON