Details
-
Bug
-
Resolution: Fixed
-
Medium
-
3.3
-
I noticed this first on CAC
Description
It was initially believed that a Confluence user account had to have some kind of Global Admin privilege to allow the editing of any space's PDF stylesheet/layout:
- The PDF Layout — for example, http://confluence.atlassian.com/spaces/flyingpdf/viewpdflayoutconfig.action?key=ALLDOC and
- The PDF Stylesheet — for example, http://confluence.atlassian.com/spaces/flyingpdf/viewpdfstyleconfig.action?key=ALLDOC
If I log in to Confluence using an account with Space Administrator permissions for the ALLDOC space (but which has no Global Admin privileges), the two options above do not appear in the space's Space Administration area.
However, if I log in with this same account, copy the URLs above and paste them into my browser window, I can access these stylesheets, edit their content and save it.
We originally believed this lack of links on the space admin UI to be expected behaviour, due to a perceived risk of running malicious code in these text boxes (CONF-5808). Therefore, the fact that you could access these URLs (without Global Admin privileges) was believed to be a security risk - hence, the creation of this JAC issue. However...
After discussing this with Ryan Ackley, there doesn't appear to be a security risk for the PDF stylesheet/layout templates. So, instead of restricting access to these functions to confluence administrators, these functions can be made available to space administrators as well.
The fix is to re-enable the "PDF Layout" and "PDF Stylesheet" menu items if the user is a space administrator. The "Layout" and "Stylesheet" will continue to be restricted to confluence administrators (i.e. current behaviour).
See Craig's comment on CONF-5808, which backs up this claim.
Attachments
Issue Links
- relates to
-
CONFSERVER-5808 Allow Space Administrators Access to the Space Layout
- Gathering Interest