Community
Products
Jira
Questions
section "Issue Links" missing / not shown

section "Issue Links" missing / not shown

Hi there,
I have two projects, on project 1, an issue is "related to" an issue in project 2.
On project 1, as user with admin rights I see the link

On the linked issue "ICL-24", as user b, I don't see the link, but the comment, that it is linked.

what do I have to change, so that the link is shown on both sides?

The admin user, is seeing the "issue links" section on ICL-24 so I expect, that this is something user rights related, but I don't get currently the problem.

Thanks for helping.

Jörg

2 answers

1 accepted

0 votes

Answer accepted

I suspect your instincts are correct. Can you check what your users can see in each project?

The reason is a security one, which is easier to explain by example - let's say you have two issues and two people. Alice and Bob can both see Issue-1, but only Alice can see Issue-2. You link the issues. Alice can see both and everything works fine. Bob is denied access to Issue-2.

Now, if Bob could see the link to Issue-2 when he looks at Issue-1, then there's a security issue because he suddenly knows it exists, what type it is, the summary and so-on. That breaks "Bob can't see issue-2", so Jira hides the link from him entirely to prevent leakage.

In a lot of organisations, this wouldn't actually be a problem. But Jira can't assume that.

In short, check "Bob" can see both issues that are linked together!

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

The really interesting thing on this topic is, that a groovy script, which is executed by Bob on a transition post action, is able to see and edit the issue-2, without beeing able to the issue-2 in browser anyway...

Thanks you both.
Jörg

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Like

Oooh, that IS interesting. Two possibilities spring to mind

1. Groovy is powerful and hooks directly into the API, it may be able to ignore restrictions. Although, I suspect you'd have to explicitly code the script to use functions that are unrestricted

2. We've only looked at "browse" permissions. It is actually possible to create a workflow transition that has no conditions, which means anyone can execute it. I have a nagging doubt that even if Bob cannot see the issue (no "browse" rights) then he can still execute transitions that are unprotected by conditions. The UI stops that, I think, but it wouldn't stop a scripted action.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Like

Bob execute a transition on issue-1, whichs fireing following script...

...
issueLinkManager = componentManager.getIssueLinkManager()
ComponentManager componentManager = ComponentManager.getInstance()
MutableIssue currentIssue = issue
if (currentIssue.getTimeSpent() &gt;0 )
        {
                cus = componentManager.getJiraAuthenticationContext().getUser()
                now = new Date().format('dd.MM.yyyy k:mm')
issueLinkManager.getInwardLinks(currentIssue.getId()).each
                {
                issueLink -&gt;
                    if (issueLink.issueLinkType.name == "Relates")
                            {
                                linkedIssue = issueLink.getSourceObject()
                                MutableIssue timetrackIssue = componentManager.getIssueManager().getIssueObject(linkedIssue.getKey())
                                wli = new WorklogImpl(null, timetrackIssue , 0, cus.name, 'Zeitübertragung aus ' + currentIssue.getKey(), Date.parse('dd.MM.yyyy hh:mm', now), null, null, currentIssue.getTimeSpent() )
                                ComponentManager.instance.worklogManager.create(cus, wli, 0, false)
                            }
                }

        }
else    
        {
                log.debug "Issue " + currentIssue.getKey() + " hat keine gebuchte Arbeitszeit"
        }

This code manipulates directly the linked issue issue-2, which Bob can't access by browser anyway.
I don't care, I like that the code ignores that Bob can't access issue-2, because the project of issue-2 has very limited access.
However, this can be some security topic on other customers.
Thanks
Jörg

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Like

Reply

0 votes

Make sure user b has "Borwse Project" permission on both the projects.

https://confluence.atlassian.com/display/JIRA/Managing+Project+Permissions

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

So... In short, check "Bob" can see both issues that are linked together!

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Like

Hi Jobin,
thats something, I have already checkt.

The project Test, can be browsed for test purpose by "anyone", but link still wasn't shown.

"Browse project", this was just the half of the problem.
On issue JLTA-76 also issue security schema was applied.

Thanks
Jörg

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Like

Yup, that is the next :) If the issue is protected by a security scheme, users won't see it unless they are part of that security level.

You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.

Comment

Like

Reply

Suggest an answer

Log in or Sign up to answer

Was this helpful?

Thanks!

TAGS

Community showcase