Restrict bulk change for regular users

Regular users currently have bulk change permissions. For most operations, this is not a problem, because they can only bulk change fields on issues where they could make those changes individually, i.e., they are the reporter.

However, bulk change also allows you to bulk comment, which regular users can do on any issue they can see that isn't closed. It does not appear to be possible to specifically restrict the ability to bulk comment – if a user has the bulk change permission, and the ability to comment on an issue, they can bulk comment. In fact, the JIRA documentation specifically warns about the possibility of this being exploited to cause massive havoc:

The decision to grant the Bulk Change permission should be considered carefully. This permission grants users the ability to modify a collection of issues at once. For example, in JIRA installations configured to run in Public mode (i.e. anybody can sign up and create issues), a user with the Bulk Change global permission and the Add Comments project permission could comment on all accessible issues. Undoing such modifications may not be possible through the JIRA application interface and may require changes made directly against the database (which is not recommended).

A regular user recently used this to post a comment asking for reporters to update the Affects Version/s field on hundreds of open issues. We are fortunate that the ability to do this hasn't occurred to anyone with malicious intent.

Regular users should have no legitimate use for the bulk change permission. If they're actively maintaining a significant number of issues, then we should consider offering them helper status, which should have bulk change permissions.