Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-15160

Remote API Access Space Permission (PATCH)


    • We collect Confluence feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion.

      For large confluence installation it is important to have RemoteAPI access to Confluence, but at the same time, it is not desirable to give the remote access to everyone and everywhere. For this reason a new permission that would control access to the remote API is needed.

      It is unimaginable to have Confluence admins of big instances decide who should get the remote api access and for which space. Such a decision should be delegated to the space admins, which are the content owners for the given space and can make a qualified decision about the access via the RemoteAPI for their space.

      For this reason a new space permission is needed. This space permission would be controlled as any other permission via the Space Admin -> Permissions view.

      A patch with this functionality was developed against Confluence 2.x and the patch provided is rebased for 2.10.2. Patch was written in a minimalistic way in order to introduce minimal performance penalty and make it easy to port it between different confluence versions.

      In our case we wanted to restrict access to global remote api calls only to confluence admins as well, so we created a patch for that too (attached as remote-api-admin-authorization.patch). It would be nice if this patch was rewritten so that an individual global permission to access these global methods exists too, but this isn't as important for us as having the space permission patch accepted to the confluence source base. I'm attaching both patches just to give you an idea of what we do. It's up to you if you decide to take the admin patch and rewrite it so that a global permission exists as well.

      The order in which patches should be applied to confluence source base is remote-api-admin-authorization.patch -> remote-api-authorization.patch.

            Unassigned Unassigned
            15d9a6950818 Igor Minar
            6 Vote for this issue
            5 Start watching this issue