Users can move attachments to a space they have no permission for

XMLWordPrintable

      Any user with permission to edit pages in a space can move attachments in that space to any page in Confluence.

      Eg: suppose we have a user named StandardUser who has permission to edit pages in GeneralSpace, but no permission to view or edit RestrictedSpace, which contains a page predictably named Home.
      StandardUser:

      • goes to the attachments view of a page with attachments in GeneralSpace.
      • clicks edit.
      • types "RestrictedSpace:Home" into the Page field and clicks save.

      The attachment is moved.

      The user should really need the following permissions:
      View Space for RestrictedSpace
      Create Attachment for RestrictedSpace
      Furthermore, the user should not be restricted from viewing or editing the target page by any page level restrictions.

        1. ConfluenceActionSupport.properties
          325 kB
        2. MoveAttachmentAction.class
          11 kB

            Assignee:
            Unassigned
            Reporter:
            Stafford Vaughan [CustomWare]
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved: