I have a page viewable by public on which there is a jiraissue macro. Since each issue is a link public users can follow this to view the issue in Jira. I was expected that they can only view the issue according to the permission schemes I have set but still the workflow transition is not only visible but the workflow operations such as the Edit button is enabled to them. This is obviously not acceptable.
Could anyone please let me know how to fix this?
This is mostly down to permissions.
The first question is "are your users logging in?". If they are, then you need to chop down your permission schemes a bit to remove the abilitues they are getting via their user account (groups, roles, etc)
If not, then you've got "browse = anyone" in your permission scheme, which is fine because it allows anonymous read access, but you've probably used "anyone" in other permissions too - edit is one of them. Remove the "anyone" and cut it all down to logged-in known users.
The workflow transitions are a similar principle, but you need to look in a different place. Open up the workflow(s) and look at the transitions. You'll probably find that they have no *conditions* or they have *conditions* like "allow people with resolve permission". In the first case, you need to add a condition that will prevent non-logged in users from doing it - the most simple way to do that is simply whack in "user is in group jira-users", as that's the "can log in" group, but you might actually want to cut it down to something even more restrictive. In the second case, you could do the same as the first case, but also think about why they're getting those permissions.
By public users, I mean those who not logged in. I have only one permission scheme at this moment which is the default one and I have carefully look through all of them to see if any 'Anyone' slipping in but none found. The 'edit' is definitely not Anyone and that explains the 'Edit' button is correctly hidden from public users. However, the 'Edit' button of the workflow transition is enabled and I have learnt that I should set up permission parameters for the workflow steps (in Workflow page like you suggested) but is there any way to fix this instead of going through all the steps in all workflows which are active now and set up each individual parameters?
I have a lot of workflow at this moment and there is no permission parameter has been set and it seems like if no permission set for a step, it will be default as 'Anyone' resulting in the problem I have here. I found tht rather strange thing to be set as default in Jira. Please correct me if I'm wrong.
Many thanks, Nic!
I think an overall "anonymous users can't do anything in this workflow" flag would be useful. But I don't think there's even a request open for any meta-permission type stuff, and I suspect it wouldn't be a simple change. I don't think it'll happen anytime soon.
It's officially Tuesday, which means it's officially time for another tip to help you better navigate this space we call the Atlassian Community. 😄 I got a great question from community member, Sa...
Connect with like-minded Atlassian users at free events near you!Find a group
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no AUG chapters near you at the moment.Start an AUG
You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs