Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-10807

Users with view permissions on a space are able to delete (purge) pages they don't have permission to edit/access

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Highest Highest
    • 2.7.2
    • 2.4.3, 2.7, 2.7.1
    • None

    • all

      If a user has at least view permissions on a space they can purge any page in that space using the URL:

      /pages/purgetrashitem.action?key=&contentId=

      and the right contentId and space key.

      A purge can be performed even if the page has not been marked for deletion.

      This issue has been replicated and verified by the Confluence support team:
      https://support.atlassian.com/browse/CSP-16133

      This is a critical security hole and should be fixed ASAP.

        1. patch-2.5.x-2.6.x.zip
          1 kB
        2. PurgeTrashItemAction.class
          3 kB

            [CONFSERVER-10807] Users with view permissions on a space are able to delete (purge) pages they don't have permission to edit/access

            Katherine Yabut made changes -
            Workflow Original: JAC Bug Workflow v3 [ 2892793 ] New: CONFSERVER Bug Workflow v4 [ 2984551 ]
            Owen made changes -
            Workflow Original: JAC Bug Workflow v2 [ 2780753 ] New: JAC Bug Workflow v3 [ 2892793 ]
            Status Original: Resolved [ 5 ] New: Closed [ 6 ]
            Owen made changes -
            Workflow Original: JAC Bug Workflow [ 2725367 ] New: JAC Bug Workflow v2 [ 2780753 ]
            Owen made changes -
            Workflow Original: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2388936 ] New: JAC Bug Workflow [ 2725367 ]
            Katherine Yabut made changes -
            Workflow Original: Confluence Workflow - Public Facing - Restricted v5 [ 2266078 ] New: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2388936 ]
            Katherine Yabut made changes -
            Workflow Original: Confluence Workflow - Public Facing - Restricted v5.1 - TEMP [ 2222597 ] New: Confluence Workflow - Public Facing - Restricted v5 [ 2266078 ]
            Katherine Yabut made changes -
            Workflow Original: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2170991 ] New: Confluence Workflow - Public Facing - Restricted v5.1 - TEMP [ 2222597 ]
            Katherine Yabut made changes -
            Workflow Original: Confluence Workflow - Public Facing - Restricted v5 [ 1931860 ] New: Confluence Workflow - Public Facing - Restricted v5 - TEMP [ 2170991 ]
            Katherine Yabut made changes -
            Workflow Original: Confluence Workflow - Public Facing - Restricted v3 [ 1731935 ] New: Confluence Workflow - Public Facing - Restricted v5 [ 1931860 ]
            Katherine Yabut made changes -
            Workflow Original: CONF Bug Subtask WF (TEMP) [ 1690367 ] New: Confluence Workflow - Public Facing - Restricted v3 [ 1731935 ]

              dave@atlassian.com dave (Inactive)
              jhanji@imahima.com Neeraj Jhanji
              Affected customers:
              0 This affects my team
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: