Loading...

XML

Word

Printable

Details

Type: Suggestion
Resolution: Duplicate
Fix Version/s: None
Component/s: None
Labels:

Feedback Policy:

We collect Confluence feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

Description

NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion.

We have macros that could reveal particularly sensitive information (e.g., email address) that we use for administration and the ability to 'call them' currently has no restrictions on them.

Even though they can be 'hidden' from non-administrators in the macro browser, they can still be called by them if they know the name of the macro. Thus a client user, who has the ability to only post comments, can call them simply by typing them into a comment box. Of course, this would require them to know what they're called but if they find out then they could have access to particularly sensitive information.

There should be a permission about who can 'call' some macros. If an administrator, or someone with sufficient privileges, has added them to a page then they should remain and be editable by those who can edit the page but calling new instances of them shouldn't be allowed.

Attachments

Issue Links

duplicates

CONFSERVER-3918 Permissions for macros.

Gathering Interest

relates to

CONFCLOUD-26434 Add ability to prevent certain users from calling certain user macros

Closed

Activity

People

Assignee:: John Masson

Reporter:: Steve Goldberg

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 28/Aug/2012 2:53 PM

Updated:: 19/Sep/2019 5:23 AM

Resolved:: 05/Sep/2012 2:37 AM