section "Issue Links" missing / not shown

Hi there,
I have two projects, on project 1, an issue is "related to" an issue in project 2.
On project 1, as user with admin rights I see the link

On the linked issue "ICL-24", as user b, I don't see the link, but the comment, that it is linked.


what do I have to change, so that the link is shown on both sides?

The admin user, is seeing the "issue links" section on ICL-24 so I expect, that this is something user rights related, but I don't get currently the problem.

Thanks for helping.

Jörg

2 answers

1 accepted

0 vote

I suspect your instincts are correct. Can you check what your users can see in each project?

The reason is a security one, which is easier to explain by example - let's say you have two issues and two people. Alice and Bob can both see Issue-1, but only Alice can see Issue-2. You link the issues. Alice can see both and everything works fine. Bob is denied access to Issue-2.

Now, if Bob could see the link to Issue-2 when he looks at Issue-1, then there's a security issue because he suddenly knows it exists, what type it is, the summary and so-on. That breaks "Bob can't see issue-2", so Jira hides the link from him entirely to prevent leakage.

In a lot of organisations, this wouldn't actually be a problem. But Jira can't assume that.

In short, check "Bob" can see both issues that are linked together!

The really interesting thing on this topic is, that a groovy script, which is executed by Bob on a transition post action, is able to see and edit the issue-2, without beeing able to the issue-2 in browser anyway...

Thanks you both.
Jörg

Oooh, that IS interesting. Two possibilities spring to mind

1. Groovy is powerful and hooks directly into the API, it may be able to ignore restrictions. Although, I suspect you'd have to explicitly code the script to use functions that are unrestricted

2. We've only looked at "browse" permissions. It is actually possible to create a workflow transition that has no conditions, which means anyone can execute it. I have a nagging doubt that even if Bob cannot see the issue (no "browse" rights) then he can still execute transitions that are unprotected by conditions. The UI stops that, I think, but it wouldn't stop a scripted action.

Bob execute a transition on issue-1, whichs fireing following script...

...
issueLinkManager = componentManager.getIssueLinkManager()
ComponentManager componentManager = ComponentManager.getInstance()
MutableIssue currentIssue = issue
if (currentIssue.getTimeSpent() >0 )
        {
                cus = componentManager.getJiraAuthenticationContext().getUser()
                now = new Date().format('dd.MM.yyyy k:mm')
issueLinkManager.getInwardLinks(currentIssue.getId()).each
                {
                issueLink ->
                    if (issueLink.issueLinkType.name == "Relates")
                            {
                                linkedIssue = issueLink.getSourceObject()
                                MutableIssue timetrackIssue = componentManager.getIssueManager().getIssueObject(linkedIssue.getKey())
                                wli = new WorklogImpl(null, timetrackIssue , 0, cus.name, 'Zeitübertragung aus ' + currentIssue.getKey(), Date.parse('dd.MM.yyyy hh:mm', now), null, null, currentIssue.getTimeSpent() )
                                ComponentManager.instance.worklogManager.create(cus, wli, 0, false)
                            }
                }

        }
else    
        {
                log.debug "Issue " + currentIssue.getKey() + " hat keine gebuchte Arbeitszeit"
        }

This code manipulates directly the linked issue issue-2, which Bob can't access by browser anyway.
I don't care, I like that the code ignores that Bob can't access issue-2, because the project of issue-2 has very limited access.
However, this can be some security topic on other customers.
Thanks
Jörg

0 vote

Make sure user b has "Borwse Project" permission on both the projects.

https://confluence.atlassian.com/display/JIRA/Managing+Project+Permissions

So... In short, check "Bob" can see both issues that are linked together!

Hi Jobin,
thats something, I have already checkt.

The project Test, can be browsed for test purpose by "anyone", but link still wasn't shown.

"Browse project", this was just the half of the problem.
On issue JLTA-76 also issue security schema was applied.

Thanks
Jörg

Yup, that is the next :) If the issue is protected by a security scheme, users won't see it unless they are part of that security level.

Suggest an answer

Log in or Join to answer
Community showcase
Sarah Schuster
Posted Jan 29, 2018 in Jira

What are common themes you've seen across successful & failed Jira Software implementations?

Hey everyone! My name is Sarah Schuster, and I'm a Customer Success Manager in Atlassian specializing in Jira Software Cloud. Over the next few weeks I will be posting discussion topics (8 total) to ...

3,323 views 14 20
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you
Atlassian Team Tour

Join us on the Team Tour

We're bringing product updates and pro tips on teamwork to ten cities around the world.

Save your spot