Forums

Articles
Create
cancel
Showing results for 
Search instead for 
Did you mean: 

Why do workflow transitions need permission validators to close an issue

Aspi Engineer
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
January 12, 2015

This is a question regarding permissions and workflow transition validators. I have a user who does NOT have the "Close Issue" permissions, based on the permissions scheme. However he is still able to close issues. There are no validators defined for the transition. If I add an appropriate "Permissions validator" ('User must have CLOSE permission'), then everything works as expected. Is this behavior by design? What is the reasoning behind having to define a 'permissions validator'? One would expect that if you have the CLOSE permission, you can close the issue. If you do not have the permission, you cannot close the issue.

We are using JIRA 6.2.7

Thanks
Aspi

1 answer

0 votes
Nic Brough -Adaptavist-
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
January 12, 2015

It's partly historical.  Back in a very old Jira, there were no hooks in the workflow for Conditions or Validators - the "does user have the close permission" was almost hard coded into the workflow, so all you needed to do was add it and not worry about the workflow.

 

The newer system where you explicitly add your own "check permissions" stuff is a lot more flexible, but it does need a nice long list of possible permissions and we, as admins, still can't add new permissions.  JIRA therefore ships with the old "close" permission which isn't actually used except by the conditions - it's not needed, but Admins would need something like it if it were removed, and I'd bet we'd all add it back in as a "custom permission" if Atlassian went that way.

 

(in fact, "permissions validator" was the first attempt to make it more configurable and was deprecated almost straight away - you shouldn't use permissions validators, it's better to use conditions to prevent the user even trying something they shouldn't do)

Suggest an answer

Log in or Sign up to answer