[CONFSERVER-12859] Hidden pages' content can be viewed without permission using copypage.action

Type: Bug
Resolution: Fixed
Priority: High
Fix Version/s: 2.9.1
Affects Version/s: 2.4.3, 2.9
Component/s: None
Labels:

Bug Fix Policy:
View Atlassian Server bug fix policy

If the id of a page is known by a user, that user can view the content of the page without having permissions to the space it is in. They need only construct the right URL.
EG:
Two spaces A and B
Page with id 1 is in Space A
User cannot see Space A
User can see Space B

The following URL will allow the user to copy the page to space B and view its content.

http://confluence.example.com/pages/copypage.action?spaceKey=B&idOfPageToCopy=1

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List

CopyPageAction.class-2.6.2
6 kB
23/Dec/2008 6:44 AM
CopyPageAction.class-2.7.3
6 kB
26/Aug/2008 11:54 PM
CopyPageAction.class-2.8.2
6 kB
26/Aug/2008 11:54 PM
CopyPageAction.java-2.6.2
4 kB
23/Dec/2008 6:44 AM
CopyPageAction.java-2.7.3
4 kB
01/Sep/2008 4:27 AM
CopyPageAction.java-2.8.2
4 kB
01/Sep/2008 4:27 AM

relates to

CONFSERVER-12860 Hidden pages' content can be viewed without permission using diffpages.action

Closed

Paul Curren added a comment - 23/Dec/2008 6:44 AM

Java 1.4 compiled 2.6.2 patch attached.

Paul Curren added a comment - 23/Dec/2008 6:44 AM Java 1.4 compiled 2.6.2 patch attached.

Chris Kiehl added a comment - 01/Sep/2008 4:27 AM

Attached the patched java files for 2.7.3 and 2.8.2.

Chris Kiehl added a comment - 01/Sep/2008 4:27 AM Attached the patched java files for 2.7.3 and 2.8.2.

Chris Kiehl added a comment - 26/Aug/2008 11:54 PM

I attached patched class files for versions 2.8.2 and 2.7.3 of Confluence. Please refer to the installation instructions.

The subdirectories for the class file are com/atlassian/confluence/pages/actions/. You need to remove the "-<version>" from the class file before copying it.

Chris Kiehl added a comment - 26/Aug/2008 11:54 PM I attached patched class files for versions 2.8.2 and 2.7.3 of Confluence. Please refer to the installation instructions . The subdirectories for the class file are com/atlassian/confluence/pages/actions/ . You need to remove the "-<version>" from the class file before copying it.

Don Willis added a comment - 26/Aug/2008 6:07 AM

Permissions are now checked on the page being copied.

Don Willis added a comment - 26/Aug/2008 6:07 AM Permissions are now checked on the page being copied.

Don Willis added a comment - 25/Aug/2008 10:28 AM

This issue was reported to support by Neeraj Jhanji

Don Willis added a comment - 25/Aug/2008 10:28 AM This issue was reported to support by Neeraj Jhanji

Assignee:: Don Willis

Reporter:: Don Willis

Affected customers:: 0 This affects my team

Watchers:: 2 Start watching this issue

Created:: 25/Aug/2008 10:28 AM

Updated:: 11/Oct/2018 8:55 AM

Resolved:: 26/Aug/2008 6:07 AM

Details

Description

Attachments

Attachments

Issue Links

Forms

Activity

Collapse comment: Paul Curren added a comment - 23/Dec/2008 6:44 AM

Expand comment: Paul Curren added a comment - 23/Dec/2008 6:44 AM

Collapse comment: Chris Kiehl added a comment - 01/Sep/2008 4:27 AM

Expand comment: Chris Kiehl added a comment - 01/Sep/2008 4:27 AM

Collapse comment: Chris Kiehl added a comment - 26/Aug/2008 11:54 PM

Expand comment: Chris Kiehl added a comment - 26/Aug/2008 11:54 PM

Collapse comment: Don Willis added a comment - 26/Aug/2008 6:07 AM

Expand comment: Don Willis added a comment - 26/Aug/2008 6:07 AM

Collapse comment: Don Willis added a comment - 25/Aug/2008 10:28 AM

Expand comment: Don Willis added a comment - 25/Aug/2008 10:28 AM

People

Dates