[CONFSERVER-11452] Users can move attachments to a space they have no permission for - Create and track feature requests for Atlassian products.

Type: Bug
Resolution: Fixed
Priority: High
Fix Version/s: 2.8.1
Affects Version/s: 2.7, 2.8
Component/s: None
Labels:

Bug Fix Policy:
View Atlassian Server bug fix policy

Any user with permission to edit pages in a space can move attachments in that space to any page in Confluence.

Eg: suppose we have a user named StandardUser who has permission to edit pages in GeneralSpace, but no permission to view or edit RestrictedSpace, which contains a page predictably named Home.
StandardUser:

goes to the attachments view of a page with attachments in GeneralSpace.
clicks edit.
types "RestrictedSpace:Home" into the Page field and clicks save.

The attachment is moved.

The user should really need the following permissions:
View Space for RestrictedSpace
Create Attachment for RestrictedSpace
Furthermore, the user should not be restricted from viewing or editing the target page by any page level restrictions.

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List

ConfluenceActionSupport.properties
325 kB
05/May/2008 1:32 AM
MoveAttachmentAction.class
11 kB
05/May/2008 2:20 AM

Assignee:: Unassigned

Reporter:: Stafford Vaughan [CustomWare]

Affected customers:: 0 This affects my team

Watchers:: 1 Start watching this issue

Created:: 15/Apr/2008 12:31 AM

Updated:: 11/Oct/2018 9:08 AM

Resolved:: 07/May/2008 3:51 AM

Details

Description

Attachments

Attachments

Forms

Activity

People

Dates