[#CONF-6057] Users can manually restrict pages operations to custom groups of which they are not members

Confluence

Users can manually restrict pages operations to custom groups of which they are not members

Created: 03/May/06 08:45 PM Updated: 09/Sep/07 09:02 PM

Component/s:

Editing

Affects Version/s:

2.2

Fix Version/s:

2.5

Time Tracking:

Not Specified

Environment:

N/A

Participants:	Andy Schoenbach, David Soul [Atlassian] and Don Willis [Atlassian]
Since last comment:	1 year, 12 weeks ago
Resolution Date:	09/Sep/07 09:02 PM
Labels:

Description

« Hide

Under Page Edit -> Restictions, when restricting page operations to groups, group entry text box does not validate that a user is a member before applying the group restriction. This can lock users out of their own pages. Instead, it should display an error same as 'Group not found' such as 'User must be a member of this group'.

To replicate, used 2.2 std and created new space. Added new group of which user is not a member, edited homepage of new test space and under restrictions went to group picker. Test group was correctly not displayed, only default groups. However the group name the user does not belong to can be entered manually without using picker menu, and is accepted.

David

All

Comments

Work Log

Change History

Sort Order:

[ Permlink | « Hide ]

Andy Schoenbach added a comment - 05/Sep/07 04:57 PM

I was surprised to see this feature show up in the list for implementation in version 2.6. We would NOT support implementing a requirement that a user must be a member of groups they want to use in restricting a page.

The problem David mentions (i.e. in which a user could lock themselves out of a page by adding a group they are not a member of) was fully RESOLVED when Confluence added the capability for using any combination of groups and individuals when restricitng a page. By default, the user is automatically as a viewer in addition to any other groups and individuals.

The whole purpose of adding multiple groups was to enable a user to build an appropriate viewing list from existing groups - most of which the user would not be a member. For example, I might want a page viewable by several offices in my organization pluse some in another organization, only one of which I actually am a member of. It would be inappropriate for me to be listed as a member of those offices.

Please don't implement this feature (unless I'm misunderstanding it). Thanks.

[ Permlink | « Hide ]

Don Willis [Atlassian] added a comment - 05/Sep/07 05:26 PM

Sorry to scare you Andy. I assigned it to myself purely to check that the implementation of ~~CONF-3701~~ made this bug obsolete. I haven't actually got around to that just yet. I'll take the fix-for version off to take the fear away.

Cheers,
Don

[ Permlink | « Hide ]

Andy Schoenbach added a comment - 05/Sep/07 05:38 PM

Whew... That is a relief. Conf-3701 definitely did make the bug obsolete, and its been a terrific functionality. THANKS Andy

[ Permlink | « Hide ]

Don Willis [Atlassian] added a comment - 09/Sep/07 09:02 PM

This was fixed in Confluence 2.5 as part of implementing ~~CONF-3701~~. Confluence now automatically includes the editing user in the list of viewers/editors whenever they try to restrict the page to exclude that user.

Scenario 1.

1. User starts editing page.
2. User sets restrictions to be only a group that does not include the user.
3. User saves page.
4. Confluence automatically adds explicit restriction for that user as well as the group specified by the user.

Scenario 2.

1. User starts editing page.
2. User sets restrictions to be a group that includes the user.
3. User saves page.
4. Confluence restricts the page exactly as requested by the user.