Permissions problem with Archived issues

Hello Atlassian Data Center team -
We’re looking to improve our support for Jira Data Center’s “archived issues”. Right now, when a Jira issue is archived, the Jira user immediately sees an ugly permissions error.

screenshot-1

Our permission check uses com.atlassian.jira.security.PermissionManager.hasPermission() call to get user permissions.

By default it uses the ProjectPermissions.VIEW_DEV_TOOLS permission. That permission has the availableForArchivedEntities flag set to false. And the hasPermission() permission call returns false as well.

ProjectPermissions.VIEW_DEV_TOOLS is not allowed for archived Jira issues.

Do you have any recommendations on how to work through this?

1 Like

You probably need to add ProjectPermissions.BROWSE_ARCHIVE permission if the issue is archived.

Could you please explain your recommendation?

Let me describe our goal in more detail. Our plugin shows some development information and uses ‘VIEW_DEV_TOOLS’ permission to determine the user’s possibility to see the information.
Yes, we can use other permissions (for example, the ‘BROWSE_PROJECTS’ is enough to see archived Jira issues). But. If we change the ‘VIEW_DEV_TOOLS’ permission to some another one – will it lead to that our development information will be displayed to persons who have no appropriate rights to see it? It seems – yes.

Even if we use the ‘BROWSE_ARCHIVE’ permission only for archived Jira issues – it will still lead to that development information will be displayed to persons who have no development rights, but for archived Jira issues only.

Can you check for multiple permissions? Something like this:

if (user.hasPermission(VIEW_DEV_TOOLS) &&
(!issue.isArchived() || (issue.isArchived() && user.hasPermission(BROWSE_ARCHIVE)
) {
issue.showCommits();
}

Thank you. Yes, we may do this.
But in that case, a user without the ‘VIEW_DEV_TOOLS’ may be able to see the development information in the archived Jira issues. It looks like an access violation, doesn’t it?

The first clause of the if statement (user.hasPermission(VIEW_DEV_TOOLS)) will ensure that only users with VIEW_DEV_TOOLS permission may view commits.

Oh! Thank you! Your are right.
We’ll try this.

A Jira bug for this has been created – https://jira.atlassian.com/browse/JRASERVER-71644