-
Bug
-
Resolution: Fixed
-
High
-
2.7, 2.8
-
None
Any user with permission to edit pages in a space can move attachments in that space to any page in Confluence.
Eg: suppose we have a user named StandardUser who has permission to edit pages in GeneralSpace, but no permission to view or edit RestrictedSpace, which contains a page predictably named Home.
StandardUser:
- goes to the attachments view of a page with attachments in GeneralSpace.
- clicks edit.
- types "RestrictedSpace:Home" into the Page field and clicks save.
The attachment is moved.
The user should really need the following permissions:
View Space for RestrictedSpace
Create Attachment for RestrictedSpace
Furthermore, the user should not be restricted from viewing or editing the target page by any page level restrictions.
| Form Name | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
[CONFSERVER-11452] Users can move attachments to a space they have no permission for
Mark
added a comment - Windows install of Confluence 2.8
No such directories as /pages/actions/ and /confluence/core/ exist
I only have:
C:\confluence\confluence\WEB-INF\classes\com\atlassian\confluence\setup
Nothing else in the confluence directory other than setup
Do we create these or is something missing?
Mark
added a comment - Windows install of Confluence 2.8
No such directories as /pages/actions/ and /confluence/core/ exist
I only have:
C:\confluence\confluence\WEB-INF\classes\com\atlassian\confluence\setup
Nothing else in the confluence directory other than setup
Do we create these or is something missing? 
Chris Broadfoot [Atlassian]
added a comment - The following permissions are now required to move an attachment to another page:
- Edit page permission on the page/news post the attachment resides
- Create attachment permission on the target page/news post (at time of writing, this means create attachment permissions on the target space)
If the first permission is not met, then the user cannot enter the screen to perform any editing of attachments on that page.
If the first permission is met, the user has the option to enter the new parent page, and if the permission check on that page/news post fails, then the user is redirected back to the edit attachment form where a field error is presented.
Chris Broadfoot [Atlassian]
added a comment - The following permissions are now required to move an attachment to another page:
Edit page permission on the page/news post the attachment resides
Create attachment permission on the target page/news post (at time of writing, this means create attachment permissions on the target space)
If the first permission is not met, then the user cannot enter the screen to perform any editing of attachments on that page.
If the first permission is met, the user has the option to enter the new parent page, and if the permission check on that page/news post fails, then the user is redirected back to the edit attachment form where a field error is presented. Chris Broadfoot [Atlassian]
added a comment - Patch for 2.7.x, 2.8.0
- Download attached MoveAttachmentAction.class and ConfluenceActionSupport.properties
- Place MoveAttachmentAction.class in confluence/WEB-INF/classes/com/atlassian/confluence/pages/actions/
- Place ConfluenceActionSupport.properties in confluence/WEB-INF/classes/com/atlassian/confluence/core/
- Restart Confluence
Chris Broadfoot [Atlassian]
added a comment -
Patch for 2.7.x, 2.8.0
Download attached MoveAttachmentAction.class and ConfluenceActionSupport.properties
Place MoveAttachmentAction.class in confluence/WEB-INF/classes/com/atlassian/confluence/pages/actions/
Place ConfluenceActionSupport.properties in confluence/WEB-INF/classes/com/atlassian/confluence/core/
Restart Confluence
Hi Mark. You just create the directories.