Issue with workflow transition permissions and moving issues

I'm assuming I am not the first to see this, but I couldn't find anything by searching on this specific issue.  I have several workflows that require approvals and have conditions set up to only allow users in a role to make the transition happen.  I recently saw someone create an issue in the project with a different issue type (Task) and then they moved the issue to being the issue type that requires an approval (Access Request).  They were able to specify that they wanted the issue to be in "Approved" status on the move instead of "New", even though if they had created the issue correctly in the right issue type to begin with, they would not have been able to execute that transition.  Has anyone seen this and if so are there any answers to lock this down?



2 answers

When they were asked for that "Status", did they try to change the initial status? Did JIRA allow? AFAIK, it won't because of the permissions.

They never changed the initial status - when they were able to change the status was during the move - on the move screen it gives the option to change issue type and then asks which status in the new issue that this ticket should be in and provides a drop down list of all statuses in the workflow that they are entering.

And what happens when they select other than the initial status from the dropdown? Does JIRA allows it?

Yes, JIRA allowed them to put it into "Approved" status instead of the initial status for the flow, "New" - there is a condition on the workflow to go from New to Approved that they must be in a certain role - this works as expected when going through the workflow. It's just the loophole with Moving an issue from one type to another

So the user that did it have the correct access/role in your Permission Scheme "Move Issues". It will move it then and an option to populate/update some of the custom fields. This will not respect the workflow validations because they will not be triggered.

Right - that makes sense - but is there any way to limit this? That is a relatively large loophole if users can bypass approval processes

Limit the "Move issues" to a certain group/role only (like Project Admins role only). I certainly don't like regular users to do this.

Yes, the Move function enables the user to move between status without any of the triggers and validatrors configured in the workflows. This is a serious concern when relying on JIRA for controlled workflows.

I have tried to find ways to circumvent this as I like users to be able to move issues to other project if they have created them in the wrong project (happens quite often i my organisation). 

I have found no solution and have disabled move for anybody but the project manager.

Suggest an answer

Log in or Sign up to answer
Community showcase
Posted Oct 09, 2018 in Jira Core

How to manage many similar workflows?

I have multiple projects that use variations of the same base workflow. The variations depend on the requirements of the project or issue type. The variations mostly come in the form of new statuses ...

375 views 6 0
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you