Details
-
Suggestion
-
Resolution: Unresolved
-
7
-
Description
Summary
If you've restricted a user from spaces in Confluence, if you link one of those spaces they're restricted from as a Knowledge Base in Service Desk, they will suddenly have access, even though they are not a Service Desk customer
Environment
- JIRA Service Desk 3.2.0-OD-04-003-D20160224T230516
- Confluence Cloud 6.0.0-OD-2016.10.0-1050
Steps to Reproduce
In Confluence
- Create a special group to use to restrict users, (e.g. restrictedusers)
- Choose a user to restrict a project to. Remove access to default Confluence users group and make sure they are not a JIRA user.
- Add the user to the restrictedusers group.
- Go to Global Permissions and add restrictedusers to Can Use for Confluence.
- Navigate to one space that you will restrict. Add the restrictedusers group to have access to the space.
- When you login as the user, you should only have access to 1 space. You can see this from Space Directory.
In JIRA Service Desk
- Navigate to a Service Desk, go to Project Settings > Knowledge Base
- Select Link to a Confluence Space
- Select your application, and one of the spaces that the user does NOT have access to.
- Click Link and select All active users and customers can access the knowledge base without a Confluence license.
- Navigate back to the login with the restricted user, and now check your Space Directory. You will see that it has been added, even though the Confluence user has no access to JIRA service desk.
Expected Results
User should not have been given access to something they were restricted from.
Actual Results
Instead, they are given access. I think the key here is that it says All active users and customers can access the knowledge base without a Confluence license., So this would include all Confluence users, even those restricted. This is a security issue.
Notes
This is especially bad due to the fact that once a user has been given access to a space as a knowledge base, it cannot be revoked, even if you remove access later:
https://jira.atlassian.com/browse/CONF-40890
Workaround
No current workaround
Attachments
Issue Links
- is related to
-
CONFCLOUD-72610 Restrict access to Service Desk knowledge base spaces to Service Desk customers only
- Gathering Interest