[CONFSERVER-12859] Hidden pages' content can be viewed without permission using copypage.action - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: High
Fix Version/s: 2.9.1
Affects Version/s: 2.4.3, 2.9
Component/s: None
Labels:

Bug Fix Policy:
View Atlassian Server bug fix policy

If the id of a page is known by a user, that user can view the content of the page without having permissions to the space it is in. They need only construct the right URL.
EG:
Two spaces A and B
Page with id 1 is in Space A
User cannot see Space A
User can see Space B

The following URL will allow the user to copy the page to space B and view its content.

http://confluence.example.com/pages/copypage.action?spaceKey=B&idOfPageToCopy=1

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List

CopyPageAction.class-2.7.3
6 kB
26/Aug/2008 11:54 PM
CopyPageAction.class-2.8.2
6 kB
26/Aug/2008 11:54 PM
CopyPageAction.java-2.7.3
4 kB
01/Sep/2008 4:27 AM
CopyPageAction.java-2.8.2
4 kB
01/Sep/2008 4:27 AM
CopyPageAction.class-2.6.2
6 kB
23/Dec/2008 6:44 AM
CopyPageAction.java-2.6.2
4 kB
23/Dec/2008 6:44 AM

relates to

CONFSERVER-12860 Hidden pages' content can be viewed without permission using diffpages.action

Closed

Assignee:: Don Willis

Reporter:: Don Willis

Affected customers:: 0 This affects my team

Watchers:: 2 Start watching this issue

Created:: 25/Aug/2008 10:28 AM

Updated:: 11/Oct/2018 8:55 AM

Resolved:: 26/Aug/2008 6:07 AM

Details

Description

Attachments

Attachments

Issue Links

Forms

Activity

People

Dates