Uploaded image for project: 'Confluence Server'
  1. Confluence Server
  2. CONFSERVER-25210

"Not Permitted" page when members of confluence-administrators attempt to edit pages on which they do not have edit permission

    Details

    • Symptom Severity:
      Major
    • Support reference count:
      42

      Description

      In Confluence 5.6.x, member of "confluence-administrators" group can click "Edit" button and start editing the page. They receive a "Not Permitted" page when "Save" button is clicked.

      If the "Close" button is clicked instead (to exit the editor without saving), a blank page will be returned instead.

      Steps to replicate

      1. Make User B as the member of confluence-administrators group
      2. User A creates a page and applies a restriction to a specific group
      3. User B is Not a member of that group but Is a Space Administrator for the space
      4. User B goes to the page and the edit function is enabled
      5. User B Clicks Edit and starts to make changes
      6. User B finishes making changes to the page and clicks Save (which is enabled)
      7. User B gets the message "You are not permitted to perform this operation"

      Other Steps to replicate

      1. Make User A as the member of confluence-administrators group
      2. User A creates a space and makes User B the only Space Administrator
      3. User A goes to the page and the edit function is enabled
      4. User A Clicks Edit and starts to make changes
      5. User A finishes making changes to the page and clicks Save (which is enabled)
      6. User A gets the message "You are not permitted to perform this operation"
      7. User A gets blank page below main Confluence top navigation bar when clicking Close after entering editor.

      Workarounds

      There are a few workarounds to this, and reasons why we don't see this bug as critical:

      1. Most importantly, Atlassian recommends not using your administration account for regular use of Confluence. Create separate admin and user accounts instead.
      2. Use your admin powers to grant yourself permission to edit the page (at space and page level as required), then edit the page again.
      3. Use the back button to get back to your changes and copy/paste them for saving as a user that is explicitly permitted to edit the page. (If the back button doesn't work in your scenario, please raise a ticket with steps to reproduce - we'd like to fix this.)
      4. Until CONF-4616 is fixed, grant administrators "System Administration" permission but do not put them in the "confluence-administrators" group if you do not wish them to have access to all content in your system. (This is in relation to the original bug.)

        Attachments

          Issue Links

            Activity

              People

              • Votes:
                34 Vote for this issue
                Watchers:
                52 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:
                  Last commented:
                  16 weeks, 3 days ago