When the 'Browse Projects' permission is granted to either of the Reporter or Assignee or User Custom Field, the project name is visible to anyone, including users who has no relationship with the project, under the 'All Projects' page (/secure/BrowseProjects.jspa#all).
Is there any workaround to prevent this visibility?
Ah, yes, there's a quirk in the wording of these here.
The way the permissions work for "browse" is that they give the right to see the issues in a project to anyone who *could* be selected in those fields an issue. So, if you say "group X can report an issue", then everyone in group X can see the project, even if none of them ever report an issue.
I don't think the assignee works quite like that, but it's complicated, because I suspect it flows from the same "can report" problem.
There is a fix for the reporter issue - you can see it implemented on Atlassian's support site (if I report a support problem, you can't see it even though you can report issues in the same project).
What you need is "reporter browse" permission enabled. It is disabled by default because you need to be careful in how you use it (I think the rule is simple - do NOT use it for anything other than browse). See https://confluence.atlassian.com/display/JIRA/Current+Reporter+Browse+Project+Permission
I'd get that enabled and in place, and then see how the assignee works separately. I don't believe there's a fix for the user-picker though.
We have grouped together more information on why Granting Browse Project permission to 'Current Assignee', 'Reporter' or 'User Custom Field Value' allows all users to view Project information and some methods on How to limit user to only browse issues assigned to or reported by them
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG