Issue Details (XML | Word | Printable)

Key: CONF-11452
Type: Bug Bug
Status: Resolved Resolved
Resolution: Fixed
Priority: Critical Critical
Assignee: Unassigned
Reporter: Stafford Vaughan [CustomWare]
Votes: 0
Watchers: 2
Operations

Add/Edit UI Mockup to this issue
If you were logged in you would be able to see more operations.
Confluence

Users can move attachments to a space they have no permission for

Created: 14/Apr/08 07:31 PM   Updated: 23/May/08 03:03 AM
Component/s: Attachments, Security
Affects Version/s: 2.7, 2.8
Fix Version/s: 2.8.1

Time Tracking:
Not Specified

File Attachments: 1. File ConfluenceActionSupport.properties (325 kB)
2. Text File MoveAttachmentAction.class (11 kB)

Participants: Chris Broadfoot [Atlassian], Don Willis [Atlassian], Mark Magin and Stafford Vaughan [CustomWare]
Since last comment: 27 weeks, 3 days ago
Internal Complexity: 3
Resolution Date: 06/May/08 10:51 PM
Internal Value: 5
Labels:


 Description  « Hide
Any user with permission to edit pages in a space can move attachments in that space to any page in Confluence.

Eg: suppose we have a user named StandardUser who has permission to edit pages in GeneralSpace, but no permission to view or edit RestrictedSpace, which contains a page predictably named Home.
StandardUser:

  • goes to the attachments view of a page with attachments in GeneralSpace.
  • clicks edit.
  • types "RestrictedSpace:Home" into the Page field and clicks save.

The attachment is moved.

The user should really need the following permissions:
View Space for RestrictedSpace
Create Attachment for RestrictedSpace
Furthermore, the user should not be restricted from viewing or editing the target page by any page level restrictions.

 All   Comments   Work Log   Change History      Sort Order: Ascending order - Click to sort in descending order
[ Permlink | « Hide ]
Chris Broadfoot [Atlassian] added a comment - 04/May/08 08:25 PM

Patch for 2.7.x, 2.8.0

  1. Download attached MoveAttachmentAction.class and ConfluenceActionSupport.properties
  2. Place MoveAttachmentAction.class in confluence/WEB-INF/classes/com/atlassian/confluence/pages/actions/
  3. Place ConfluenceActionSupport.properties in confluence/WEB-INF/classes/com/atlassian/confluence/core/
  4. Restart Confluence

[ Permlink | « Hide ]
Chris Broadfoot [Atlassian] added a comment - 04/May/08 11:49 PM
The following permissions are now required to move an attachment to another page:
  • Edit page permission on the page/news post the attachment resides
  • Create attachment permission on the target page/news post (at time of writing, this means create attachment permissions on the target space)

If the first permission is not met, then the user cannot enter the screen to perform any editing of attachments on that page.
If the first permission is met, the user has the option to enter the new parent page, and if the permission check on that page/news post fails, then the user is redirected back to the edit attachment form where a field error is presented.


[ Permlink | « Hide ]
Mark Magin added a comment - 22/May/08 11:21 PM
Windows install of Confluence 2.8
No such directories as /pages/actions/ and /confluence/core/ exist
I only have:
C:\confluence\confluence\WEB-INF\classes\com\atlassian\confluence\setup
Nothing else in the confluence directory other than setup

Do we create these or is something missing?


[ Permlink | « Hide ]
Don Willis [Atlassian] added a comment - 23/May/08 03:03 AM
Hi Mark. You just create the directories.


Powered by Atlassian JIRA the Professional Issue Tracker. (Enterprise Edition, Version: 3.13.2-#335) - Bug/feature request - Atlassian news - Contact Administrators