What is changing?
The GET custom field option REST API will now enforce a permission check to only return the custom field option as follows:
- if the user has the Administer Jira global permission.
- if the user has the Browse projects project permission for at least one project the custom field is used in, and the field is visible in at least one layout the user has permission to view.
If the user does not have permission to view the custom field, or the option does not exist, then a 404 will be returned.
Why this change?
Previously this API would allow anonymous users to see the value of any custom field option provided they have a valid option ID. This presents a security risk as intruders can use brute force techniques to get custom field options that they should not be allowed to see.
What do I need to do?
If you are using this API you will need to ensure you are authenticated as a user with the appropriate permission to view the custom field option.
When will this change take effect?
The change will be rolled out no sooner than 19th August, 2020.