Restrict access to https://api.media.atlassian.com download to only authenticated users

XMLWordPrintable

    • 1

      Issue Summary

      Media API links for attachments within products are accessible by external users who are not authenticated on the site.

      Steps to Reproduce

      1. Create a Confluence page
      2. Add some images/screenshots
      3. Open the image from the attachment section or try to download the images
      4. It will generate a request to the Media platform: https://api.media.atlassian.com/file/XXXXXXXXX/binary?client=XXXXXXXXX&token=XXXXXXXX&name=FILE-NAME.png
      5. Copy the link of the request from the browser Network Tab
      6. Try accessing it from a browser where you are not authenticated to Confluence

      Expected Results

      External users who do not have access to the site should not be able to see the image. The link should only be accessible to authorized users

      Actual Results

      External users can download the image with the link shared.

      Workaround

      No workaround available.

            Assignee:
            Kunwardeep Singh
            Reporter:
            Uchechi I
            Votes:
            1 Vote for this issue
            Watchers:
            7 Start watching this issue

              Created:
              Updated:
              Resolved: