Details
-
Suggestion
-
Resolution: Unresolved
-
None
-
None
-
Java Version 1.5.0_01
Java Vendor Sun Microsystems Inc.
JVM Version 1.0
JVM Vendor Sun Microsystems Inc.
JVM Implementation Version 1.5.0_01-b08
Java Runtime Java(TM) 2 Runtime Environment, Standard Edition
Java VM Java HotSpot(TM) Client VM
User Name tomcat4
User Timezone America/New_York
Operating System Linux 2.6.10-1.771_FC2smp
OS Architecture i386
Filesystem Encoding UTF-8
Java VM Memory Statistics
Total Memory 381 MB
Free Memory 239 MB
Used Memory 142 MB
Memory Graph
[Used Memory ( 37 %)] [Free Memory ( 63 %)]
63 % Free
Runtime Information
Application Server Apache Tomcat/5.0
Servlet Version 2.4
Confluence Home /var/lib/tomcat5/data/confluence
Uptime 1 hour, 6 minutes, 49 seconds
Version 2.1.5
Build Number 411Java Version 1.5.0_01 Java Vendor Sun Microsystems Inc. JVM Version 1.0 JVM Vendor Sun Microsystems Inc. JVM Implementation Version 1.5.0_01-b08 Java Runtime Java(TM) 2 Runtime Environment, Standard Edition Java VM Java HotSpot(TM) Client VM User Name tomcat4 User Timezone America/New_York Operating System Linux 2.6.10-1.771_FC2smp OS Architecture i386 Filesystem Encoding UTF-8 Java VM Memory Statistics Total Memory 381 MB Free Memory 239 MB Used Memory 142 MB Memory Graph [Used Memory ( 37 %)] [Free Memory ( 63 %)] 63 % Free Runtime Information Application Server Apache Tomcat/5.0 Servlet Version 2.4 Confluence Home /var/lib/tomcat5/data/confluence Uptime 1 hour, 6 minutes, 49 seconds Version 2.1.5 Build Number 411
-
5
-
6
-
Description
NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion.
In previous versions of Confluence, Space Administrators could access the "Layout" page in "Space Administration" to edit the Space Theme manually (the Velocity files specifically). It appears that at some point after Confluence 2.0 this ability was removed due to security concerns but the documentation was not updated at the time. I ran into this and filed the following bug at http://support.atlassian.com – CSP-3044.
~~~~~~~~~~~
I had a call from a Space Administrator today who was trying to modify the custom decorators for a space per these instructions.
http://confluence.atlassian.com/display/CONF20/Working+with+Custom+Decorators
However, he couldn't view the "Layout" link in the "Look and Feel" section of the "Space Administration" page (he only had 3 items there rather than 4). To test, I created a user, gave it space administration privileges and verified I couldn't see the "Layout" link. Interestingly enough, my regular user which has full Confluence Administration privileges ("Administrate Confluence" in "Global Permissions") could see the "Layout" link in "Space Administration".
Some further testing showed that the only users who can see the "Layout" button in the "Space Administration" page are those with full "Administrate Confluence" privileges.
Since the documentation above says "You need to be a space administrator to edit decorator files." I'm presuming this is a bug and hope it can be easily/quickly fixed.
I also tried to manually go to the layout link as a space administrator user and was denied with a "You are not permitted to perform this operation." message.
Thanks for your help.
~~~~~~~~~
The response was that "Unfortunately it is a security risk to allow space administrators to put arbitrary velocity markup in layouts – they could escalate their priviledges to those of the global administrator."
I then noted that the docs were incorrect and asked if this had changed recently....the answer was "At one time they could. The ideal solution would be to make sure that a 'bad' layout can't produce a security problem, but that's hard. You can raise a feature request for more granular permissions at http://jira.atlassian.com and we will consider it. ".
So....I'm making a feature request here that Space Administrators could selectively be allowed to edit the Layout files (Velocity files). I'm not very picky as to whether it's a global Confluence preference (i.e. all Space Administrators can edit Layout files) or an extra Space permissions.
Thanks.
Attachments
Issue Links
- is duplicated by
-
CONFSERVER-16024 Space Admin unable to access Space Layout
- Closed
-
CONFSERVER-19387 "Space Admins" who are not full Confluence Admins get "Not Permitted" error on attempt to edit stylesheet
- Closed
- is related to
-
CONFSERVER-5373 User with admin permission on a space can't see Browse Space, Space Admin, Layout link.
- Closed
-
CONFSERVER-20369 A user can access a space's PDF Layout/Stylesheets without global Confluence admin permissions.
- Closed
- relates to
-
CONFCLOUD-5808 Allow Space Administrators Access to the Space Layout
- Gathering Interest
- mentioned in
-
Page Loading...