The upgrade task ConsolidatePermissionsUpgradeTask may remove some space permissions during upgrade which cause users to lose some or all of their space permissions when using a case sensitive database.

Symptoms

• Affected users appear in the logs for the ConsolidatePermissionsUpgradeTask as having duplicate permissions removed from a space
  Example log messages

  [atlassian.confluence.upgrade.ConsolidatePermissionsUpgradeTask] doUpgrade Consolidating SpacePermissions for Space Example Space (key=Example Space).
  [atlassian.confluence.upgrade.ConsolidatePermissionsUpgradeTask] removeDuplicateSpacePermissions Duplicate SpacePermission [REMOVEBLOG,0,null,Joe User] removed.
  [atlassian.confluence.upgrade.ConsolidatePermissionsUpgradeTask] removeDuplicateSpacePermissions Duplicate SpacePermission [CREATEATTACHMENT,0,null,Joe User] removed.
  ...
  

• Users no longer have their assigned permissions in the spaces
• In the space permissions, rows for "Unknown User" appear. The permissions for this user cannot be removed

At present this has been reported as affecting personal spaces exclusively, but it might be possible for this to affect other spaces.

Cause

It appears that the upgrade task may remove space permission records which are used by the HibernateSpacePermissionDao to correctly associate permissions to users. This occurs because the upgrade task is designed to consolidate permissions assigned to users which only vary by the case of the user name. Unfortunately the permission dao performs a case sensitive lookup against permissions and it is possible that the lookup will no longer match the correct records. The upgrade task is not particular with which record it deletes when consolidating the permissions.

Resolution

The attached class should allow the space permission lookup to find the permissions by performing a case insensitive lookup against the space permission table. We may need to look at a different approach to mitigating this problem in a future release of Confluence (e.g. a fix to the upgrade task perhaps)

To install this patch, shut down Confluence, make the necessary directories and copy the class to confluence_installation/WEB-INF/classes/com/atlassian/confluence/security/persistence/dao/hibernate/HibernateSpacePermissionDao.class

Permissioning should work correctly once Confluence is restarted.