Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-10807

Users with view permissions on a space are able to delete (purge) pages they don't have permission to edit/access

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Highest Highest
    • 2.7.2
    • 2.4.3, 2.7, 2.7.1
    • None

    • all

      If a user has at least view permissions on a space they can purge any page in that space using the URL:

      /pages/purgetrashitem.action?key=&contentId=

      and the right contentId and space key.

      A purge can be performed even if the page has not been marked for deletion.

      This issue has been replicated and verified by the Confluence support team:
      https://support.atlassian.com/browse/CSP-16133

      This is a critical security hole and should be fixed ASAP.

        1. patch-2.5.x-2.6.x.zip
          1 kB
          dave
        2. PurgeTrashItemAction.class
          3 kB
          dave

            [CONFSERVER-10807] Users with view permissions on a space are able to delete (purge) pages they don't have permission to edit/access

            dave (Inactive) added a comment -

            Just tested our existing 2.6.x patch against 2.5.x and it works.

            The existing patch has been renamed to indicate compatibility with 2.5. Instructions have also been updated.

            dave (Inactive) added a comment - Just tested our existing 2.6.x patch against 2.5.x and it works. The existing patch has been renamed to indicate compatibility with 2.5. Instructions have also been updated.

            dave (Inactive) added a comment - - edited

            Unfortunately, no patch will be issued for 2.4.3.

            The patches currently attached do not work on 2.4.x. Please do not attempt to patch your install with them.

            dave (Inactive) added a comment - - edited Unfortunately, no patch will be issued for 2.4.3. The patches currently attached do not work on 2.4.x. Please do not attempt to patch your install with them.

            Neeraj Jhanji added a comment -

            Is there a possibility to provide a patch for 2.4.3 users?

            Neeraj Jhanji added a comment - Is there a possibility to provide a patch for 2.4.3 users?

            dave (Inactive) added a comment - - edited

            Instructions for Confluence 2.5.x and 2.6.x users

            The patch instructions for 2.5.x and 2.6.x are identical to those listed above. The only difference is that we've included a separate patched class that we specifically tested against 2.5.x and 2.6.x.

            You will find this patched class inside the patch-2.5.x-2.6.x.zip (which is attached).

            dave (Inactive) added a comment - - edited Instructions for Confluence 2.5.x and 2.6.x users The patch instructions for 2.5.x and 2.6.x are identical to those listed above. The only difference is that we've included a separate patched class that we specifically tested against 2.5.x and 2.6.x. You will find this patched class inside the patch-2.5.x-2.6.x.zip (which is attached).

            dave (Inactive) added a comment -

            The check for the item to be marked as deleted or trashed will be rolled into the main point release (2.7.2) to simplify the patch and patching procedure.

            dave (Inactive) added a comment - The check for the item to be marked as deleted or trashed will be rolled into the main point release (2.7.2) to simplify the patch and patching procedure.

            dave (Inactive) added a comment - - edited

            Patch Instructions for 2.7.x users

            1. Shutdown Confluence
            2. Create the following directories com/atlassian/confluence/pages/actions in your confluence/WEB-INF/classes directory.
            3. Copy the attached PurgeTrashItemAction.class to confluence/WEB-INF/classes/com/atlassian/confluence/pages/actions
            4. Startup Confluence

            Patch Change Summary

            This patch will cause trash purging to check for space administrator permissions before allowing purging to proceed. All users without such a permission will be presented with a "Not Permitted" screen. Even direct posting to dopurgetrashitem.action is protected.

            dave (Inactive) added a comment - - edited Patch Instructions for 2.7.x users Shutdown Confluence Create the following directories com/atlassian/confluence/pages/actions in your confluence/WEB-INF/classes directory. Copy the attached PurgeTrashItemAction.class to confluence/WEB-INF/classes/com/atlassian/confluence/pages/actions Startup Confluence Patch Change Summary This patch will cause trash purging to check for space administrator permissions before allowing purging to proceed. All users without such a permission will be presented with a "Not Permitted" screen. Even direct posting to dopurgetrashitem.action is protected.

            dave (Inactive) added a comment -

            Thanks for submitting this problem.

            We've confirmed that this is a problem, but the user has to have permissions to view the space at least.

            Looking into a patch/fix for this issue.

            dave (Inactive) added a comment - Thanks for submitting this problem. We've confirmed that this is a problem, but the user has to have permissions to view the space at least. Looking into a patch/fix for this issue.

            dave (Inactive) added a comment -

            Looking into this issue now.

            dave (Inactive) added a comment - Looking into this issue now.

              dave@atlassian.com dave (Inactive)
              jhanji@imahima.com Neeraj Jhanji
              Affected customers:
              0 This affects my team
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: