Hello

Our JIRA instance hosts a lot of projects for multiple customers with remote access from our partners. Because of confidentiality issue, we expect a user cannot gain access to any other user details from JIRA (even knowing account/email address exists) when he is not concerned by related projects for these customers/partners.

From my point of view, when "Browse Users" global permission is granted, JIRA should only complete user login/name/email to accounts with proper project (Browse Project) or issue (Security Level) permissions for expected action.

According to my testing in JIRA 7.7:

1. when commenting, mention "@" shortcut seems to restrict account list based on project+issue permissions. To confirm maybe from code source.
2. when managing watchers (Add watcher), any matching users are listed as search result, but then fail to apply based on permissions
3. "Share issue" action not only allows to list all user accounts but also send successfully an email to anyone without warning even when target user is not granted access to that issue.

Are there work-arounds to any of these "troubles" (points 2 and 3) instead of simply disabling "Browse Users" permission which make then mention "@" shortcut in comment unusable ?

 Are there any other places in JIRA where users may "browse users" ?

After some additional investigations:

• https://jira.atlassian.com/browse/JRASERVER-7467 Issue Navigateur does not restrict users when completing user field value like assignee or reporter
• https://jira.atlassian.com/browse/JRASERVER-7776 Watcher search is not restricted (point 2)
• https://jira.atlassian.com/browse/JRASERVER-28335 Share issue can be disabled (point 3)
• In fact, raw wiki syntax "[~username]" in comment only sends email notification if "Browse Users" permission is granted (point 1)