Hi!

I have encountered a discrepancy between API (and declared contract) and implementation of the CommentPermissionManager.hasBrowsePermission.

API declares that method -

“…does not check if the user has the permission to see the issue the comment is attached to however.”

But implementation (at least DefaultCommentPermissionManager.hasBrowsePermission) checks issue visibility, and return false if user has no permission to browse project(‘ProjectPermissions.BROWSE_PROJECTS’). I have checked for Jira.Core 8.11.0 and 8.12.0.

Is it going to be a new contract and check for issue visibility will stay or it’s a bug in implementation?

Hi,
This behavior was changed intentionally to solve the security issue, https://jira.atlassian.com/browse/JRASERVER-70543.