section "Issue Links" missing / not shown

Hi there,
I have two projects, on project 1, an issue is "related to" an issue in project 2.
On project 1, as user with admin rights I see the link

On the linked issue "ICL-24", as user b, I don't see the link, but the comment, that it is linked.


what do I have to change, so that the link is shown on both sides?

The admin user, is seeing the "issue links" section on ICL-24 so I expect, that this is something user rights related, but I don't get currently the problem.

Thanks for helping.

Jörg

2 answers

1 accepted

0 vote

I suspect your instincts are correct. Can you check what your users can see in each project?

The reason is a security one, which is easier to explain by example - let's say you have two issues and two people. Alice and Bob can both see Issue-1, but only Alice can see Issue-2. You link the issues. Alice can see both and everything works fine. Bob is denied access to Issue-2.

Now, if Bob could see the link to Issue-2 when he looks at Issue-1, then there's a security issue because he suddenly knows it exists, what type it is, the summary and so-on. That breaks "Bob can't see issue-2", so Jira hides the link from him entirely to prevent leakage.

In a lot of organisations, this wouldn't actually be a problem. But Jira can't assume that.

In short, check "Bob" can see both issues that are linked together!

The really interesting thing on this topic is, that a groovy script, which is executed by Bob on a transition post action, is able to see and edit the issue-2, without beeing able to the issue-2 in browser anyway...

Thanks you both.
Jörg

Oooh, that IS interesting. Two possibilities spring to mind

1. Groovy is powerful and hooks directly into the API, it may be able to ignore restrictions. Although, I suspect you'd have to explicitly code the script to use functions that are unrestricted

2. We've only looked at "browse" permissions. It is actually possible to create a workflow transition that has no conditions, which means anyone can execute it. I have a nagging doubt that even if Bob cannot see the issue (no "browse" rights) then he can still execute transitions that are unprotected by conditions. The UI stops that, I think, but it wouldn't stop a scripted action.

Bob execute a transition on issue-1, whichs fireing following script...

...
issueLinkManager = componentManager.getIssueLinkManager()
ComponentManager componentManager = ComponentManager.getInstance()
MutableIssue currentIssue = issue
if (currentIssue.getTimeSpent() >0 )
        {
                cus = componentManager.getJiraAuthenticationContext().getUser()
                now = new Date().format('dd.MM.yyyy k:mm')
issueLinkManager.getInwardLinks(currentIssue.getId()).each
                {
                issueLink ->
                    if (issueLink.issueLinkType.name == "Relates")
                            {
                                linkedIssue = issueLink.getSourceObject()
                                MutableIssue timetrackIssue = componentManager.getIssueManager().getIssueObject(linkedIssue.getKey())
                                wli = new WorklogImpl(null, timetrackIssue , 0, cus.name, 'Zeitübertragung aus ' + currentIssue.getKey(), Date.parse('dd.MM.yyyy hh:mm', now), null, null, currentIssue.getTimeSpent() )
                                ComponentManager.instance.worklogManager.create(cus, wli, 0, false)
                            }
                }

        }
else    
        {
                log.debug "Issue " + currentIssue.getKey() + " hat keine gebuchte Arbeitszeit"
        }

This code manipulates directly the linked issue issue-2, which Bob can't access by browser anyway.
I don't care, I like that the code ignores that Bob can't access issue-2, because the project of issue-2 has very limited access.
However, this can be some security topic on other customers.
Thanks
Jörg

0 vote

Make sure user b has "Borwse Project" permission on both the projects.

https://confluence.atlassian.com/display/JIRA/Managing+Project+Permissions

So... In short, check "Bob" can see both issues that are linked together!

Hi Jobin,
thats something, I have already checkt.

The project Test, can be browsed for test purpose by "anyone", but link still wasn't shown.

"Browse project", this was just the half of the problem.
On issue JLTA-76 also issue security schema was applied.

Thanks
Jörg

Yup, that is the next :) If the issue is protected by a security scheme, users won't see it unless they are part of that security level.

Suggest an answer

Log in or Sign up to answer
How to earn badges on the Atlassian Community

How to earn badges on the Atlassian Community

Badges are a great way to show off community activity, whether you’re a newbie or a Champion.

Learn more
Community showcase
Published yesterday in Jira Software

How large do you think Jira Software can grow?

Hi Atlassian Community! My name is Shana, and I’m on the Jira Software team. One of the many reasons this Community exists is to connect you to others on similar product journeys or with comparabl...

347 views 4 9
Read article

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you