Uploaded image for project: 'SR for Jira - Development'
  1. SR for Jira - Development
  2. SRJIRA-2889

AbstractEntityMatch doesn't respect permissions overrides

    Details

    • Type: Bug
    • Status: Done
    • Priority: High
    • Resolution: Fixed
    • Affects Version/s: 5.1.6, 5.3.7
    • Fix Version/s: 5.4.27
    • Component/s: JQL Functions
    • Labels:
      None
    • Critical Points:
      1

      Description

      In AbstractEntityMatch#getValues, we perform permissions checks do ensure that we only return entities that the logged-in user is allowed to see (by virtue of being allowed to browse the projects to which the entities belong). However, we ignore the isSecurityOverriden()* flag on the QueryCreationContext. Code which sets this flag to true (e.g. Portfolio's IssueLuceneQueryFactory#getRelevantProjectIds) will often set the applicationUser to null, therefore we end up performing the same permission checks as we would for a non-logged-in user, which is of course wrong.

      The fix is simply to skip the permissions checks if queryCreationContext.securityOverriden is true.

      * Yes, that it how they spell it.

        Attachments

          Activity

            People

            Assignee:
            ahasan Ashraful Hasan [X] (Inactive)
            Reporter:
            jchoules Joanna Choules
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: