Vishwanath T R added a comment - 17/Mar/2019 6:27 PM @Katherine Yabut can you clarify if there is now a Confluence Cloud REST API that returns the effective permissions for a page (after factoring in global, space and parent permissions)? If not is there an ETA for when it will be available?

Tibor Hegyi [META-INF] added a comment - 30/Oct/2015 7:59 AM Hi, We have released a new add-on that may come to rescue those who want to see and understand the effective permissions. This add-on ( https://marketplace.atlassian.com/plugins/hu.metainf.plugin.confluence.ultimate-permission-manager ) combines global, space and page level permissions and restrictions into effective permissions with detailed explanations. You can easily understand how and why a user or group can or cannot access content in Confluence. It also allows you to centrally see / manage (comes soon) permissions throughout the site. Tibor

Matin Schiemann added a comment - 21/Jun/2014 6:24 AM - edited It would be really helpful to be able to show the effective permissions on a page directly. Most support cases in our non-IT environment are due to this lack of transparency. The Atlassian checker plugin does not serve this need, it allows checking the effective permissions for one specific user only. Can't expect my users to do this each time before they share a page...

Sergey Svishchev added a comment - 21/May/2014 1:52 PM That plugin hasn't been updated for recent versions, apparently. Or has it been merged into the app?

Steffen Opel added a comment - 28/Aug/2013 10:32 PM The new Confluence Effective Permissions Checker published by Atlassian Labs seems to address this issue (haven't tested it myself yet though, just took note by chance): [...] the Confluence Effective Permissions Checker provides a quick summary of any user's view/edit permissions for the current page! Permissions are broken down into page, space and global level permissions, allowing Confluence administrators to quickly verify a page's effective permission without having to leave the page! This acts as an effective tool to troubleshoot why a user has been unintentionally blocked from viewing or editing a page.

Olivier Dupuy added a comment - 09/Mar/2011 3:59 PM - edited /** * Restrictions that we can set on a page. */ public enum ConfluencePagePermission { /** * The permission set on a given page. */ CONTENT_PERMISSION_VIEW( "View" ), /** * The permission set on a given page. */ CONTENT_PERMISSION_EDIT( "Edit" ); /** * Key. */ private final String key; /** * Constructor. * * @param key key */ private ConfluencePagePermission( String key) { if (!StringUtils.hasText(key)) { throw new IllegalArgumentException( "Bad key: " + key); } this .key = key; } /** * Get the key. * * @ return key */ public String getKey() { return key; } } public enum ConfluenceSpacePermissions { /** Create new pages and edit existing ones. */ EDITSPACE(ConfluenceSoapServiceProxy.PERMISSION_EDITSPACE, "modify" ), /** View all content in the space. */ VIEWSPACE(ConfluenceSoapServiceProxy.PERMISSION_VIEWSPACE, "view" ), ... } /** * Tells if this user has the corresponding content permission (view/edit) on this existing page. * * @param userName The username, null to use the publisher account * @param permissionType CONTENT_PERMISSION_VIEW or CONTENT_PERMISSION_EDIT * @param wikiPageId The page id. * * @ return true if he has the permission */ public boolean hasContentPermission( final String userName, final String permissionType, final long wikiPageId) { /** * View */ if (!ConfluencePagePermission.CONTENT_PERMISSION_VIEW.getKey().equals(permissionType) && !ConfluencePagePermission.CONTENT_PERMISSION_EDIT.getKey().equals(permissionType)) { throw new IllegalArgumentException( "Invalid content permission: " + permissionType); } String effectiveUserName = userName; if (StringUtils.isEmpty(userName)) { // use the publisher account try { effectiveUserName = getSystemConfiguration(SysConfig.WIKI_PUBLISHER_USERNAME_KEY); } catch (Exception e) { // Report the error. throw logAndThrowException( "Failed retrieve publisher name." , e); } } // Login as admin so we have access to all the spaces String token = loginToRemoteConfluence( false ); try { // you need of course to have access to the space RemotePage page = confluenceSoapService.getInstance().getPage(token, wikiPageId); String spaceKey = page.getSpace(); String [] spacePermissions = confluenceSoapService.getInstance().getPermissionsForUser(token, spaceKey, effectiveUserName); boolean spaceAccessView = false ; boolean spaceAccessEdit = false ; String retrievedPermissionViewSpace = ConfluenceSpacePermissions.VIEWSPACE.getRetrievedPermission(); String retrievedPermissionEditSpace = ConfluenceSpacePermissions.EDITSPACE.getRetrievedPermission(); for ( String spacePermission : spacePermissions) { if (retrievedPermissionEditSpace.equals(spacePermission)) { spaceAccessEdit = true ; } else if (retrievedPermissionViewSpace.equals(spacePermission)) { spaceAccessView = true ; } } // if no permission for the space, no need to insist if (ConfluencePagePermission.CONTENT_PERMISSION_VIEW.getKey().equals(permissionType) && !spaceAccessView) { return false ; } if (ConfluencePagePermission.CONTENT_PERMISSION_EDIT.getKey().equals(permissionType) && !spaceAccessEdit) { return false ; } // Get the Content permissions for this page. RemoteContentPermissionSet viewContentPermissions = confluenceSoapService.getInstance() .getContentPermissionSet(token, wikiPageId, ConfluencePagePermission.CONTENT_PERMISSION_VIEW.getKey()); RemoteContentPermissionSet editContentPermissions = confluenceSoapService.getInstance() .getContentPermissionSet(token, wikiPageId, ConfluencePagePermission.CONTENT_PERMISSION_EDIT.getKey()); // get the groups of the user String [] groups = confluenceSoapService.getInstance().getUserGroups(token, effectiveUserName); // We assume that no group is empty or that even if it is empty, giving the permission to the (empty) // group but not to the user effectively bars the user from having the permission. // does the user has the permission directly or through a group he belongs to? boolean everyoneCanView = (viewContentPermissions.getContentPermissions().length == 0); boolean hasViewPermission = hasContentPermission(ConfluencePagePermission.CONTENT_PERMISSION_VIEW.getKey(), effectiveUserName, groups, viewContentPermissions); boolean everyoneCanEdit = (editContentPermissions.getContentPermissions().length == 0); boolean hasEditPermission = hasContentPermission(ConfluencePagePermission.CONTENT_PERMISSION_EDIT.getKey(), effectiveUserName, groups, editContentPermissions); // calculate the final permission boolean hasEffectivePermission = hasEffectiveContentPermission(permissionType, everyoneCanView, hasViewPermission, everyoneCanEdit, hasEditPermission); return hasEffectivePermission; } catch (Exception ex) { // Report the error throw logAndThrowException( "Cannot check page content permission" , ex); } finally { // Logout logoutOfRemoteConfluence(token); } } /** * Tells if we have the permission based on the individual restrictions on the page. * * @param permissionType ConfluencePagePermission.CONTENT_PERMISSION_XXX * @param everyoneCanView true if everyone can view * @param hasViewPermission true if the user can specifically view * @param everyoneCanEdit true if everyone can edit * @param hasEditPermission true if the user can specifically edit * * @ return true if we have the requested permission, false otherwise * * <p/> * The system works with restrictions. If not entered, everyone can. If entered, only the ones listed can. * <p/> * We assume here that Alice and Bob have both the VIEW and CREATE page permissions in the space.<br/> * Without VIEW they cannot view Without CREATE(and EDIT), they cannot edit.<br/> * The content permission is in addition of these page permissions.<br/> * A user can have the permission individually or through a group he belongs to. This is the same result at * the end. * <p/> * Bug http: //jira.atlassian.com/browse/CONF-10271.<br/> * If other have "view" and you have "edit" but not "view" then you cannot view * <p/> * * <table border= "1" > * <thead> * <tr> * <th>ALICE-view-perm</th> * <th>BOB-view-perm</th> * <th>ALICE-edit-perm</th> * <th>BOB-edit-perm</th> * <th>ALICE-can-view</th> * <th>ALICE-can-edit</th> * </tr> * </thead> <tbody> * <tr> * <td>.</td> * <td>.</td> * <td>.</td> * <td>.</td> * <td>YES</td> * <td>YES</td> * </tr> * <tr> * <td>.</td> * <td>.</td> * <td>.</td> * <td>YES</td> * <td>YES</td> * <td>NO</td> * </tr> * <tr> * <td>.</td> * <td>.</td> * <td>YES</td> * <td>any</td> * <td>YES</td> * <td>YES</td> * </tr> * <tr> * <td>.</td> * <td>YES</td> * <td>.</td> * <td>.</td> * <td>NO</td> * <td>NO</td> * </tr> * <tr> * <td>.</td> * <td>YES</td> * <td>.</td> * <td>YES</td> * <td>NO</td> * <td>NO</td> * </tr> * <tr> * <td>.</td> * <td>YES</td> * <td>YES</td> * <td>any</td> * <td>NO</td> * <td>NO (bug)</td> * </tr> * <tr> * <td>YES</td> * <td>any</td> * <td>.</td> * <td>.</td> * <td>YES</td> * <td>YES</td> * </tr> * <tr> * <td>YES</td> * <td>any</td> * <td>.</td> * <td>YES</td> * <td>YES</td> * <td>NO</td> * </tr> * <tr> * <td>YES</td> * <td>any</td> * <td>YES</td> * <td>any</td> * <td>YES</td> * <td>YES</td> * </tr> * </tbody> * </table> */ protected boolean hasEffectiveContentPermission( final String permissionType, final boolean everyoneCanView, final boolean hasViewPermission, final boolean everyoneCanEdit, final boolean hasEditPermission) { // now we implement this ^*&#$ matrix logic if (ConfluencePagePermission.CONTENT_PERMISSION_VIEW.getKey().equals(permissionType)) { // the easy part return (hasViewPermission || // he explicitly has the permission everyoneCanView); // everyone can view so he can // If the condition is not true then view is restricted to some but not our user. // // Here is is the bug, he cannot view EVEN if he has edit if he others have view but not him } else if (ConfluencePagePermission.CONTENT_PERMISSION_EDIT.getKey().equals(permissionType)) { // the hard part return ((everyoneCanView && everyoneCanEdit) || // everyone can view and everyone can edit (everyoneCanView && hasEditPermission) || // everyone can view and you can edit (hasViewPermission && everyoneCanEdit) || // you can view and edit (hasViewPermission && hasEditPermission)); // you can view and edit } else { throw new IllegalArgumentException( "Invalid content permission: " + permissionType); } } /** * Tells if the user has the permission as an individual or through a group he belongs to. * * @param permissionType String * @param userName user name for login * @param groups groups the user belongs to * @param contentPermissions the permissions * * @ return true if he has the permission, false otherwise */ private boolean hasContentPermission( String permissionType, String userName, String [] groups, RemoteContentPermissionSet contentPermissions) { for (RemoteContentPermission contentPermission : contentPermissions.getContentPermissions()) { String theGroup = contentPermission.getGroupName(); if (permissionType.equals(contentPermission.getType())) { // the right permission if (userName.equals(contentPermission.getUserName())) { // he has explicitly the permission return true ; } else if (theGroup != null && theGroup.trim().length() > 0 && groups != null ) { for ( String group : groups) { if (theGroup.equals(group)) { // he has the permission through one of the groups he belongs to return true ; } } } } } return false ; } /** * test of hasEffectiveContentPermission. * */ @Test public void hasEffectiveContentPermission() { // everyoneCanView, hasViewPermission, everyoneCanEdit, hasEditPermission // view and edit are restricted to some but not you assertFalse(getWikiService().hasEffectiveContentPermission( ConfluencePagePermission.CONTENT_PERMISSION_VIEW.getKey(), false , false , false , false )); assertFalse(getWikiService().hasEffectiveContentPermission( ConfluencePagePermission.CONTENT_PERMISSION_EDIT.getKey(), false , false , false , false )); // view and edit are restricted to some and you can edit but cannot view but at the end nothing assertFalse(getWikiService().hasEffectiveContentPermission( ConfluencePagePermission.CONTENT_PERMISSION_VIEW.getKey(), false , false , false , true )); assertFalse(getWikiService().hasEffectiveContentPermission( ConfluencePagePermission.CONTENT_PERMISSION_EDIT.getKey(), false , false , false , true )); // view restricted to some, everyone can view but because you cannot view, you cannot assertFalse(getWikiService().hasEffectiveContentPermission( ConfluencePagePermission.CONTENT_PERMISSION_VIEW.getKey(), false , false , true , false )); assertFalse(getWikiService().hasEffectiveContentPermission( ConfluencePagePermission.CONTENT_PERMISSION_EDIT.getKey(), false , false , true , false )); // view restricted to some, everyone edit can view but because you cannot view, you cannot assertFalse(getWikiService().hasEffectiveContentPermission( ConfluencePagePermission.CONTENT_PERMISSION_VIEW.getKey(), false , false , true , true )); assertFalse(getWikiService().hasEffectiveContentPermission( ConfluencePagePermission.CONTENT_PERMISSION_EDIT.getKey(), false , false , true , true )); // you can view and are not in the ones authorised for edit assertTrue(getWikiService().hasEffectiveContentPermission( ConfluencePagePermission.CONTENT_PERMISSION_VIEW.getKey(), false , true , false , false )); assertFalse(getWikiService().hasEffectiveContentPermission( ConfluencePagePermission.CONTENT_PERMISSION_EDIT.getKey(), false , true , false , false )); // you can view and edit assertTrue(getWikiService().hasEffectiveContentPermission( ConfluencePagePermission.CONTENT_PERMISSION_VIEW.getKey(), false , true , false , true )); assertTrue(getWikiService().hasEffectiveContentPermission( ConfluencePagePermission.CONTENT_PERMISSION_EDIT.getKey(), false , true , false , true )); // you can view and cannot edit assertTrue(getWikiService().hasEffectiveContentPermission( ConfluencePagePermission.CONTENT_PERMISSION_VIEW.getKey(), false , true , true , false )); assertTrue(getWikiService().hasEffectiveContentPermission( ConfluencePagePermission.CONTENT_PERMISSION_EDIT.getKey(), false , true , true , false )); // you can view and cannot edit assertTrue(getWikiService().hasEffectiveContentPermission( ConfluencePagePermission.CONTENT_PERMISSION_VIEW.getKey(), false , true , true , true )); assertTrue(getWikiService().hasEffectiveContentPermission( ConfluencePagePermission.CONTENT_PERMISSION_EDIT.getKey(), false , true , true , true )); // view for all but edit is restricted to some but not you assertTrue(getWikiService().hasEffectiveContentPermission( ConfluencePagePermission.CONTENT_PERMISSION_VIEW.getKey(), true , false , false , false )); assertFalse(getWikiService().hasEffectiveContentPermission( ConfluencePagePermission.CONTENT_PERMISSION_EDIT.getKey(), true , false , false , false )); // view for all and edit just for you assertTrue(getWikiService().hasEffectiveContentPermission( ConfluencePagePermission.CONTENT_PERMISSION_VIEW.getKey(), true , false , false , true )); assertTrue(getWikiService().hasEffectiveContentPermission( ConfluencePagePermission.CONTENT_PERMISSION_EDIT.getKey(), true , false , false , true )); // view and edit for all assertTrue(getWikiService().hasEffectiveContentPermission( ConfluencePagePermission.CONTENT_PERMISSION_VIEW.getKey(), true , false , true , false )); assertTrue(getWikiService().hasEffectiveContentPermission( ConfluencePagePermission.CONTENT_PERMISSION_EDIT.getKey(), true , false , true , false )); // view for all and edit for everyone and you assertTrue(getWikiService().hasEffectiveContentPermission( ConfluencePagePermission.CONTENT_PERMISSION_VIEW.getKey(), true , false , true , true )); assertTrue(getWikiService().hasEffectiveContentPermission( ConfluencePagePermission.CONTENT_PERMISSION_EDIT.getKey(), true , false , true , true )); // view for everyone and you, edit for some assertTrue(getWikiService().hasEffectiveContentPermission( ConfluencePagePermission.CONTENT_PERMISSION_VIEW.getKey(), true , true , false , false )); assertFalse(getWikiService().hasEffectiveContentPermission( ConfluencePagePermission.CONTENT_PERMISSION_EDIT.getKey(), true , true , false , false )); // view for everyone and you, edit for just you assertTrue(getWikiService().hasEffectiveContentPermission( ConfluencePagePermission.CONTENT_PERMISSION_VIEW.getKey(), true , true , false , true )); assertTrue(getWikiService().hasEffectiveContentPermission( ConfluencePagePermission.CONTENT_PERMISSION_EDIT.getKey(), true , true , false , true )); // view for everyone and you, edit for everyone assertTrue(getWikiService().hasEffectiveContentPermission( ConfluencePagePermission.CONTENT_PERMISSION_VIEW.getKey(), true , true , true , false )); assertTrue(getWikiService().hasEffectiveContentPermission( ConfluencePagePermission.CONTENT_PERMISSION_EDIT.getKey(), true , true , true , false )); // view for everyone and you, edit for everyone and you assertTrue(getWikiService().hasEffectiveContentPermission( ConfluencePagePermission.CONTENT_PERMISSION_VIEW.getKey(), true , true , true , true )); assertTrue(getWikiService().hasEffectiveContentPermission( ConfluencePagePermission.CONTENT_PERMISSION_EDIT.getKey(), true , true , true , true )); }

Olivier Dupuy added a comment - 09/Mar/2011 3:56 PM - edited I had exactly the same problem. We create accounts and publish pages remotely. As the users can restrict a page in view or edit on the wiki, the publication fails. The solution is to test from the client before publishing. I need to replicate all the existing confluence logic which is not exposed as an API global permissions (I did not go so far but I could) space permissions (ability to add and edit pages in the space) page content permissions ("View" or "Edit") In addition of this there is the bug CONF-10271 This is a hell lot of work which should be exposed directly to be up to date with your security model I will put the code below in a comment for the poor one who has to do the same. Possibly I will have to implement the same logic to know if I can remotely add a comment... and why not an attachment... Related issue, not all the space permissions can be retrieved by RPC. Only 4 of them even if the user has all of them... CONF-21951 so as an example the ability to effectively remotely create an attachment cannot be asserted. The solution is for the remote API (and for the local one) is to add the effective.. variant for all the ones below e.g. for getPermissions(String token, String spaceKey) create getEffectivePermissions(String token, String spaceKey) page and space permissions listed on http://confluence.atlassian.com/display/CONFDEV/Remote+API+Specification#RemoteAPISpecification-Permission Vector<String> getPermissions(String token, String spaceKey) - Returns a Vector of Strings representing the permissions the current user has for this space (a list of "view", "modify", "comment" and / or "admin"). Vector<String> getPermissionsForUser(String token, String spaceKey, String userName) - Returns a Vector of Strings representing the permissions the given user has for this space. (since 2.1.4) Vector<Permission> getPagePermissions(String token, String pageId) - Returns a Vector of Permissions representing the permissions set on the given page. Vector<ContentPermissionSet> getContentPermissionSets(String token, String contentId) - returns all the page level permissions for this page as ContentPermissionSets Hashtable getContentPermissionSet(String token, String contentId, String permissionType) - returns the set of permissions on a page as a map of type to a list of ContentPermission, for the type of permission which is either 'View' or 'Edit'

Bernie Durfee added a comment - 21/Sep/2010 6:13 PM Absolutely. The page restrictions UI should show the effective permissions for the users that have specific page permissions. The problem I'm having is that a user was given edit permission (in the form of an anti-restriction) to a page. The user who received the permission still couldn't edit the page. The reason was the user was in a security group that was restricted (in the form of an anti-permission) from adding or editing pages in the space. This was awfully confusing and took quite a bit of digging to figure out. Besides the obvious need to fix the nomenclature surrounding the Confluence permissions system, the addition of an 'effective permissions' check would have made this easy to figure out. I could have seen that even though the user was give edit permission (anti-restriction) to the page, they were still being restricted by the space restriction (anti-permission). As I was writing this I noticed that the original request was submitted over 3 years ago. So I don't suppose I have a snowball's chance of seeing this implemented. Thanks anyway!