Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-14985

Handling of non-viewable spaces is inconsistent and leaks information

    XMLWordPrintable

Details

    • Bug
    • Resolution: Won't Fix
    • Medium
    • None
    • None
    • None

    Description

      NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report.

      According to our stated security goals, if a user does not have permission to view a space they should not receive any indication that the space does (or might) exist. As such, any attempt to perform an action on a space the user can not see should have the same result as if the space did not exist.

      In a number of places, users get a "not permitted" message for spaces that exist, but a "not found" message for spaces that do not. We should audit the various space actions (probably making them implement SpaceAware as the SpaceAwareInterceptor deals with this case correctly), and also the remote API.

      (This issue arises from CONF-9239)

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. CONFCLOUD-14985 Handling of non-viewable spaces is inconsistent and leaks information

          • Medium - Medium priority issues
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. CONFSERVER-9239 "Page not found" (404) is displayed to users without view permissions, should be "Access denied"

          • Medium - Medium priority issues
          • Closed
          mentioned in

          Wiki Page Loading...

          Wiki Page Loading...

          Activity

            People

              Unassigned Unassigned
              cmiller CharlesA
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: