How can I prevent uses from linking an issue in one project to an issue in another project

John O'Brien August 21, 2017

I want certain users to be able to link issues across projects but I need to control this i.e. only to selected projects. So I added these users to a project role and removed the "Browse Projects" and "Link Issues" permissions from that role in a target-project. Now, when a member of this project role tries to link an issue to another issue in that target-project, he cannot "see" the target-project or specifiy it in a JQL statement, so far, so good! However, if he enters the Key-ID of an issue in the target project, the link will be created. Not good at all!

Furthermore, something strange happens, this link is not displayed in the issue screen as usual. However, I checked the activity protocol and can see that the value of the "Links" field has been changed and now contains the key specified i.e. the key of the issue in the target-project. Even more strange, if I grant the project role "Browse Projects" in the target-project again, then the link is displayed in the issue screen in the original project as normal.

So it seems to be that you can create a link to an issue in another projects regardless of whether or not you have "Browse project" or "Link Issues" permission for that project, however JIRA will not show the link in the usual way.

I really can't think of a good reason to allow a user to create a link by providing the issue key but yet hide that link. To me, he should not be allowed to create the link  to a project for which he does not have Browse Project or Link Issues permission in the first place. Why allow the link to be made and yet hide it?
Instead, it seems as if the permission "Link issue" only applies to issues when they are in the current project being edited and not when they are the target of a link.
Browse Projects seems to be prevent looking into a project but if you have an issue key, you can get around it.
Is this a bug in JIRA?

1 answer

0 votes
somethingblue
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
August 21, 2017

Hi John,

I tested this and I see the same behavior you do in the latest version where I'm able to create the link using the ID. 

I created a bug that you can find at JRASERVER-65821.  Please vote on the issue to add impact and add any comments you would like to the ticket.  Once you do that you'll be notified directly of any changes to the ticket.

Cheers,

Branden

Suggest an answer

Log in or Sign up to answer