Description
Issue Summary
Media API links for attachments within products are accessible by external users who are not authenticated on the site.
Steps to Reproduce
- Create a Confluence page
- Add some images/screenshots
- Open the image from the attachment section or try to download the images
- It will generate a request to the Media platform: https://api.media.atlassian.com/file/XXXXXXXXX/binary?client=XXXXXXXXX&token=XXXXXXXX&name=FILE-NAME.png
- Copy the link of the request from the browser Network Tab
- Try accessing it from a browser where you are not authenticated to Confluence
Expected Results
External users who do not have access to the site should not be able to see the image. The link should only be accessible to authorized users
Actual Results
External users can download the image with the link shared.
Workaround
No workaround available.
Attachments
Issue Links
- is cloned from
-
ACCESS-1793 Restrict access to https://api.media.atlassian.com download to only allowed IP addresses in the configured IP allowlist
- Needs Triage
- mentioned in
-
Page Loading...
- resolves
-
ACE-5095 Loading...