In Jira 8.19.1 and later, we’ve changed how user suggestions work when you mention someone or assign them to an issue. This change improves performance, but in some cases you’ll see suggestions of users that aren’t eligible (for example, don’t have permission to view the project).

This article is related to the following issues:

• JSWSERVER-20336 - Searching and Mentioning users may cause performance issues and high CPU load

• JSWSERVER-21200 - Permission filtering in mentions/assignees suggestions are based only on permission schemes

What’s changing

これまでの動作

Until Jira 8.19.1, when suggesting users to be selected, we’ve checked their permissions as you typed to make sure we suggest only relevant users. These checks included regular permissions, but also other dependencies, such as extra checks used in workflow permissions or issue security levels. Thanks to this, the suggestions always included the right users.

パフォーマンスの影響

Such detailed checks affected performance and often resulted in timeouts on large Jira instances. That’s because even a single mention meant checking all existing users, their permissions and dependencies, and generated a large number of database queries.

新しい動作

From Jira 8.19.1, we match suggested users only against permissions specified in your permission scheme, and only check additional dependencies when you actually select a user. In some cases, described below as Limitations, this results in suggesting users that aren’t eligible. Note that this change only affects retrieving the list of users, we’ve kept all the relevant validations in place when you try to select the ineligible user.

制限事項

We’ve identified three cases where you might see ineligible users as suggestions, and provided explanations of what exactly happens when you try to select them.

1. Issue security level

Setting issue security level allows you to control which users or groups can view an issue. You can read more about it here.

From Jira 8.19.1, the users that aren’t allowed to see a project or issue will be shown in the list of suggestions, and you’ll even be able to select them. These users, however, won’t get any notifications and won’t be able to view the project or issue.

2. Workflow permissions

Workflows allow you to change assignees when transitioning issues to a different status.

If your workflows are configured in this way, the list of suggested assignees might show ineligible users. However, you won’t be able to select them as we’ll check additional permissions on selection.

3. Plugins: ProjectPermissionOverrides

ProjectPermissionOverrides allows plugins to override any passed permission checks. The only usage we’ve identified is the Jira Service Management’s ServiceDeskCollaboratorPermissionOverride.java for assignees.

In projects that rely on ProjectPermissionOverrides, the list of suggested assignees might contain ineligible users. However, you won’t be able to select them as we’ll check additional permissions on selection.

Working around the limitations

These limitations might be inconvenient, but they don’t affect the security of your projects and issues. We’ve concluded that significant performance improvements provide much more benefit, especially in large Jira instances.

You can still work around them by updating your permission schemes. All permissions specified in the scheme will be respected in user suggestions.