Confluence is inconsistent in error messages for restricted spaces

XMLWordPrintable

      NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion.

      Synopsis:

      If you browse to a specific page in a restricted space that you don't have access to, you'll receive a 404 error stating that the page cannot be found, or perhaps that you don't have access to it.

      As per Matt Ryall's comment on CONF-9239, this is to ensure that we do not "leak information about the existence or non-existence of spaces which users don't have permission to see."

      A few comments later in the same ticket, Charles Miller comments that you can bypass the ambiguous 404 message to get a hard "Not Permitted" or "Doesn't Exist" error when browsing to the space key directly.

      If you have a restricted space with the key "RS", and the page title is "Restricted Space Home", the following is true:

      1. Browsing to /display/RS/Restricted+Space+Home produces the ambigous 404 error
      2. Browsing to /display/RS/ displays a "Not Permitted" action.
      3. Browsing to /display/FOO/ (that doesn't exist) displays a "Page Not Found" error.

            Assignee:
            Unassigned
            Reporter:
            Dave Norton
            Votes:
            2 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: