In this version of Exalate, you can access data from an access restricted project with the Connect operation.
Let's assume that john.doe is a regular user with no admin access to Jira.
The Jira has following setup
With these permissions, john.doe can create an issue in Project A, and connect it to an issue from Project B, even though he has no access to Project B.
He can do this as follows:
From now on, this issue in Project A (the public project) will receive data from the private issue of Project B (the restricted project).
Until we resolve this, we recommend the following workarounds:
Disable the Connect operation. This can be done by unchecking in the General Settings.
Advanced users would be able to perform a Connect operation through a REST API call. Because of this, we recommend making sure that the proxy user has no access to disabling the Connect operation.