REST API access to restricted page via admin key bypasses page-owner emails and audit logging

XMLWordPrintable

    • Type: Suggestion
    • Resolution: Unresolved
    • Component/s: Site - Admin Key
    • None

      When admin key is used access a restricted page from REST API, it does not send the email to the page owner. It also does not create an entry in the Confluence audit logs about the page access. Both these features are available when the page is accessed from UI.

       

      Steps to replicate:

      1. Enable the admin key (Doc: https://developer.atlassian.com/cloud/confluence/rest/v2/api-group-admin-key/#api-group-admin-key)
      2. Get the page content using:  
        https://{your_domain}/wiki/api/v2/pages/{pageID}?body-format=storage

        Keep the header Atl-Confluence-With-Admin-Key: true

      Sample cURL:

      curl --location 'https://{your_domain}/wiki/api/v2/pages/{pageID}?body-format=storage' \
--header 'Accept: application/json' \
--header 'Atl-Confluence-With-Admin-Key: true' \
--header 'Authorization: Basic <key>'

               3. Check the Confluence audit logs and email inbox.

      The logs are visible under admin audit logs (admin.atlassian.com > Insights > Audit logs) 

              Assignee:
              Unassigned
              Reporter:
              Pronil Halder
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated: