Granting Browse Project permission to 'Current Assignee', 'Reporter' or 'User Custom Field Value' allows all users to view Project information

お困りですか?

アトラシアン コミュニティをご利用ください。

コミュニティに質問

症状

Granting the "Browse Project" permission to any of the following entities in a project's permission scheme allows all users to view project information, such as the project name, project key, and so on. 

  • 報告者
  • 単一ユーザー
  • 現在の担当者
  • カスタムのフィールド値を使用する
  • Group custom field value

原因

Permissions for all of these entities are granted on the issue level, and not the project level. When you create the first issue in your project, it will be restricted to the entity you've chosen (e.g. current assignee), but the whole project will be visible to anybody, as there are no project-level permissions that would restrict it (for example, role Administrators). If you’re looking to hide the project, you need to assign the ‘Browse project’ permission to a role or a group, and then use issue security levels to further restrict particular issues.

Here are some bugs related to this issue:

  • JRA-34389 - 課題詳細を取得中... ステータス
  • JRA-37117 - 課題詳細を取得中... ステータス

How to restrict issues (and the project itself) to desired roles and groups:

  1. Start by hiding the whole project. You can do this by setting the "Browse Project" permission to one of the following entities. Permissions for these entities are granted on the project level, and will work before you even create the first issue.

    • プロジェクト ロール
    • アプリケーション アクセス
    • グループ

  2. Once you've hidden the project information, you can further restrict issues to all original entities mentioned in "Symptoms" by using issue security schemes and security levels. For more info, see Configuring issue-level security.

代替方法

To work around this issue with Assignee and Reporter, you may enable the optional "Assignee (show only projects with assignable permission)" security type. This security type allows you to restrict project browsing to "assignable" users (i.e. users which can have issues assigned to them) in a project permission scheme. You can use this security type instead of "Current Assignee" in your project permission schemes. 

More information regarding the Reporter on Current Reporter Browse Project Permission

これを行うには、次のようにします。

  1. Edit the WEB-INF/classes/permission-types.xml file.
  2. Find the following code and uncomment all code in the <type> tag:

         <!--  Uncomment & use this permission to show only projects where the user has the assignable permission and issues within that where they are the assignee -->
         <!--  This permission type should only ever be assigned to the "Browse Projects" permission. -->
         <!--  Other permissions can use the "reporter" or "create" permission type as appropriate. -->
         <!--
         <type id="assigneeassignable" enterprise="true">
             <class>com.atlassian.jira.security.type.CurrentAssigneeHasAssignablePermission</class>
         </type>
         -->
  3. Jira を再起動します。
  4. Configure the permission scheme for the project, remove the "Browse Project" permission from "Current Assignee", and assign the "Browse Project" permission to "Assignee (show only projects with assignable permission)".



最終更新日 2021 年 5 月 4 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.