Browse users permission should be restricted to shared projects

I assume, the main issue here is the Browse Users permission in the Global Permission section. You need this permission, in order to easily search an user, but the final check, if an user can be added as watcher or not, occurs upon you click the selected user from the list. This is too late.

The issue https://jira.atlassian.com/browse/JRASERVER-7776 was created in 2005 and it is still unresolved. So I guess, this is a basic issue how JIRA was designed and it is not easy to solve.

How does the global browse permssion work:

Browse Users

Ability to select a user or group from a popup window as well as the ability to use the 'share' issues feature. Users with this permission will also be able to see names of all users and groups in the system.

Right now we cannot share the browse users permission with external users. This is not just about watcher, but also other user multiple-user picker fields. Without the permission the users can use the fields, but they have to type in the exact username. Not very user friendly.

My expectation is simple: Users not playing a role in the project should not be listed. The reason is, we don't want to show to everyone the users we have. This is also a matter of confidence.

They can be listed as watchers - the point of the field is that you can include anyone you want.

If a watcher does not have "browse" permission in the project, then they will not be sent any emails though, as they can't see the issue (there are add-ons that allow you to breach that security and allow you to leak, but that's another conversation)

The logic for this is simple - how does JIRA know that a user you add as a watcher might not be added to the project later?  It can't possibly know that, so the code is kept simple - if you can see a user, you can put them in as a watcher.

The restrictions depend on the field in which you see these users. In the Assignee field for instance, a given user will only see the users with Assignable User permissions. There are no further restrictions based on the groups in which the users belong. This would be hell and would make sharing work a nightmare in any company-wide instance. Imagine if you could only share work with users who belong in all the same groups as you.

There's a ticket which you may want to vote on: https://jira.atlassian.com/browse/JRASERVER-40283

I'm afraid that the watchers field is not of any use unless you can draw everyone in, that's why it's been done the way it has.

With reference to the point:
when project membership changes, you have to start editing fields on issues, which is not sane or useful, and, as I said, the point of watchers is to include people, so you want the whole list.

We have the situation when users became inactive, left the company, etc. The watcher field then is just history.

I have a concrete case, that users shouldn't be able to see all the users in the system. I tried to remove the permission from the browse users permission and was expecting, it would work by typing in the username. But it didn't work.

Yes, it makes perfect sense - if I am trying to involve Dave in my issue, but he can't see it at all, then there's a red flag that I need to get him added to the project, at least as a read-only user (which might not the same as "adding them to the project" in other senses)

It's even worse if I have to go hunting around for why Dave can't be added as a watcher.  In this way, a) I can find him easily and b) get told why I can't add him. 

If you limit the watchers field to the project, then you make problems for yourself - when project membership changes, you have to start editing fields on issues, which is not sane or useful, and, as I said, the point of watchers is to include people, so you want the whole list.

Sorry, not true what I just said. They need the Browse Project permission.

Yep, this is to be expected. In the Permission Scheme, there's a Watch Issues permission. Set it to the Viewer Project Role (and above), so that all users who are at least viewer can be watcher

If I click on the watcher field and select a name from a person that doesn't have a role in the project, I got the message from Jira:

There was an error adding watcher
The user "username" does not have permission to view this issue. This user will not be added to the watch list.

Does this really make sense?

The whole point of the watchers facility is that people can be watchers without having to be a user in the project.

Right now I have a problem with the watcher field. Browsing for users to add them manually as watchers shows me the full list of all users, even those not playing any role in the project. I guess they can't be added as watchers, but they should not be listed.