Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
Community Members
Community Events
Community Groups

User context in which JQL query for issue picker custom field runs

Dieter Rising Star Feb 27, 2021

Is there a way to run the query in a way so that permission checks are bypassed and all issues matching the JQL query are returned?

2 answers

1 accepted

1 vote
Answer accepted

I don't think that's possible using the built-in issue picker.

But you might be able to achieve a similar purpose by using a plain text field and a conversion to a select list

This would require you to build a custom rest endpoint that mimics the built-in /rest/scriptrunner-jira/latest/issue/picker but ignores the current user permissions.

Dieter Rising Star Mar 03, 2021

Is there a chance to get the source of this built-in rest endpoint?

I don't have access to it, but it should be fairly simple to recreate the input and response.

Here I took a small stab at it:

import com.atlassian.jira.web.bean.PagerFilter
import com.atlassian.jira.component.ComponentAccessor
import groovy.json.JsonBuilder
import groovy.transform.BaseScript

@BaseScript CustomEndpointDelegate delegate

issuePickerNoSecurity(httpMethod: "GET", groups: ['jira-users']) { MultivaluedMap queryParams, String body ->
   def query = queryParams.getFirst('query')
   def currentJql = queryParams.getFirst('currentJql')
   def max = queryParams.getFirst('max') ?: 10

   def adminUser = ComponentAccessor.userManager.getUserByName('admin')

   def searchService = ComponentAccessor.getComponent(SearchService)
   def jql =''
   if(query.trim() && currentJql.trim()){
      jql = /$currentJql and text ~ "$query"/
   } else if (currentJql.trim()){
jql = currentJql
} else if(query.trim()){
jql=/text ~ "$query"/
def jqlParseResult = searchService.parseQuery(adminUser, jql)
def pager = new PagerFilter(max as Integer)
def results = searchService.searchOverrideSecurity(adminUser, jqlParseResult.query, pager)
def output = [sections:[
[label: 'Select Issue',
sub : "Showing $max of $ matching issues",
jql: jql, id:'cs',issues:
def issue = ComponentAccessor.issueManager.getIssueObject(it.key)
[key: issue.key, keyHtml: issue.key, img:issue.issueType.iconUrlHtml,
summary: issue.summary.replaceAll(/(?i)($query)/, '<b>$1</b>'),
summaryText: issue.summary,]
return Response.ok(new JsonBuilder(output).toString()).build();

This doesn't use the other options like showSubTasks.

Also, note that with this, you don't get a preferential list of issues based on the current users' recently viewed issues.

Like Dieter likes this

Thank‘s a lot for this 👍

Very helpful!

Hi Dieter, I don't think that is possible because Jira API for takes in an ApplicationUser parameter no matter what.

The only way to work around this is to use a superuser instead to do the search. 

In any case, using JQL searches in Scripted Field is not recommended as mentioned here: JQL Searches in Script Fields

Otherwise, you will get issues with full reindexing. If you still want to use it, do remember to check the index availability as suggested in the documentation. 

UPDATE: I just noticed you were referring to Issue Picker query, not search query in Scripted Field. In that case, Peter-Dave Sheehan's reply is more relevant. Can't believe we commented at the same time though, Peter. 

Suggest an answer

Log in or Sign up to answer

Atlassian Community Events