Uploaded image for project: 'Confluence Server'
  1. Confluence Server
  2. CONFSERVER-11452

Users can move attachments to a space they have no permission for

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: High
    • Resolution: Fixed
    • Affects Version/s: 2.7, 2.8
    • Fix Version/s: 2.8.1
    • Component/s: None

      Description

      Any user with permission to edit pages in a space can move attachments in that space to any page in Confluence.

      Eg: suppose we have a user named StandardUser who has permission to edit pages in GeneralSpace, but no permission to view or edit RestrictedSpace, which contains a page predictably named Home.
      StandardUser:

      • goes to the attachments view of a page with attachments in GeneralSpace.
      • clicks edit.
      • types "RestrictedSpace:Home" into the Page field and clicks save.

      The attachment is moved.

      The user should really need the following permissions:
      View Space for RestrictedSpace
      Create Attachment for RestrictedSpace
      Furthermore, the user should not be restricted from viewing or editing the target page by any page level restrictions.

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Last commented:
                11 years, 2 weeks, 1 day ago