Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-12859

Hidden pages' content can be viewed without permission using copypage.action

    XMLWordPrintable

Details

    Description

      If the id of a page is known by a user, that user can view the content of the page without having permissions to the space it is in. They need only construct the right URL.
      EG:
      Two spaces A and B
      Page with id 1 is in Space A
      User cannot see Space A
      User can see Space B

      The following URL will allow the user to copy the page to space B and view its content.

      http://confluence.example.com/pages/copypage.action?spaceKey=B&idOfPageToCopy=1

      Attachments

        1. CopyPageAction.class-2.6.2
          6 kB
        2. CopyPageAction.class-2.7.3
          6 kB
        3. CopyPageAction.class-2.8.2
          6 kB
        4. CopyPageAction.java-2.6.2
          4 kB
        5. CopyPageAction.java-2.7.3
          4 kB
        6. CopyPageAction.java-2.8.2
          4 kB

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. CONFSERVER-12860 Hidden pages' content can be viewed without permission using diffpages.action

          • High - High priority issues
          • Closed

          Activity

            People

              don.willis@atlassian.com Don Willis
              don.willis@atlassian.com Don Willis
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: