Allow Space Administrators Access to the Space Layout

In previous versions of Confluence, Space Administrators could access the "Layout" page in "Space Administration" to edit the Space Theme manually (the Velocity files specifically). It appears that at some point after Confluence 2.0 this ability was removed due to security concerns but the documentation was not updated at the time. I ran into this and filed the following bug at http://support.atlassian.com – CSP-3044.

~~~~~~~~~~~

I had a call from a Space Administrator today who was trying to modify the custom decorators for a space per these instructions.

http://confluence.atlassian.com/display/CONF20/Working+with+Custom+Decorators

However, he couldn't view the "Layout" link in the "Look and Feel" section of the "Space Administration" page (he only had 3 items there rather than 4). To test, I created a user, gave it space administration privileges and verified I couldn't see the "Layout" link. Interestingly enough, my regular user which has full Confluence Administration privileges ("Administrate Confluence" in "Global Permissions") could see the "Layout" link in "Space Administration".

Some further testing showed that the only users who can see the "Layout" button in the "Space Administration" page are those with full "Administrate Confluence" privileges.

Since the documentation above says "You need to be a space administrator to edit decorator files." I'm presuming this is a bug and hope it can be easily/quickly fixed.

I also tried to manually go to the layout link as a space administrator user and was denied with a "You are not permitted to perform this operation." message.

Thanks for your help.

~~~~~~~~~

The response was that "Unfortunately it is a security risk to allow space administrators to put arbitrary velocity markup in layouts – they could escalate their priviledges to those of the global administrator."

I then noted that the docs were incorrect and asked if this had changed recently....the answer was "At one time they could. The ideal solution would be to make sure that a 'bad' layout can't produce a security problem, but that's hard. You can raise a feature request for more granular permissions at http://jira.atlassian.com and we will consider it. ".

So....I'm making a feature request here that Space Administrators could selectively be allowed to edit the Layout files (Velocity files). I'm not very picky as to whether it's a global Confluence preference (i.e. all Space Administrators can edit Layout files) or an extra Space permissions.

Thanks.