Uploaded image for project: 'Confluence Cloud'
  1. Confluence Cloud
  2. CONFCLOUD-53596

Linking Service Desk Knowledge base grants restricted users access to space

    XMLWordPrintable

Details

    • 7

    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

    Description

      Summary

      If you've restricted a user from spaces in Confluence, if you link one of those spaces they're restricted from as a Knowledge Base in Service Desk, they will suddenly have access, even though they are not a Service Desk customer

      Environment

      • JIRA Service Desk 3.2.0-OD-04-003-D20160224T230516
      • Confluence Cloud 6.0.0-OD-2016.10.0-1050

      Steps to Reproduce

      In Confluence

      1. Create a special group to use to restrict users, (e.g. restrictedusers)
      2. Choose a user to restrict a project to. Remove access to default Confluence users group and make sure they are not a JIRA user.
      3. Add the user to the restrictedusers group.
      4. Go to Global Permissions and add restrictedusers to Can Use for Confluence.
      5. Navigate to one space that you will restrict. Add the restrictedusers group to have access to the space.
      6. When you login as the user, you should only have access to 1 space. You can see this from Space Directory.

      In JIRA Service Desk

      1. Navigate to a Service Desk, go to Project Settings > Knowledge Base
      2. Select Link to a Confluence Space
      3. Select your application, and one of the spaces that the user does NOT have access to.
      4. Click Link and select All active users and customers can access the knowledge base without a Confluence license.
      5. Navigate back to the login with the restricted user, and now check your Space Directory. You will see that it has been added, even though the Confluence user has no access to JIRA service desk.

      Expected Results

      User should not have been given access to something they were restricted from.

      Actual Results

      Instead, they are given access. I think the key here is that it says All active users and customers can access the knowledge base without a Confluence license., So this would include all Confluence users, even those restricted. This is a security issue.

      Notes

      This is especially bad due to the fact that once a user has been given access to a space as a knowledge base, it cannot be revoked, even if you remove access later:

      https://jira.atlassian.com/browse/CONF-40890

      Workaround

      No current workaround

      Attachments

        Issue Links

          is related to

          Suggestion - CONFCLOUD-72610 Restrict access to Service Desk knowledge base spaces to Service Desk customers only

          • Gathering Interest
          mentioned in

          Page Loading...

          Page Loading...

          Activity

            People

              Unassigned Unassigned
              smackie@atlassian.com Shannon S
              Votes:
              24 Vote for this issue
              Watchers:
              22 Start watching this issue

              Dates

                Created:
                Updated: