-
Bug
-
Resolution: Fixed
-
High
-
2.8.2
-
None
Even if I start Confluence with -Dconfluence.disable.peopledirectory.anonymous=true, it is still possible to browse individual users by visiting a URL like https://[wikiBaseUrl]/display/~[accountName].
This is a major security problem for us because it exposes:
1. The user's name
2. The user's ID
3. The user's email address
Evidence of the data leakage can be found by searching Google on the account name of people in the People Directory.
Because of this problem, we had to disable all anonymous access to our system, and I am dealing with fallout from reduced institutional confidence in Atlassian Confluence.
"Best security practices" should require this information not be made available anonymously without a sysadmin override.
Also, it should also be easier for administrators to restrict access than by hacking the registry (for Windows Service-based installs) or modifying setenv.bat.
I set priority to "critical" because:
A. This has negatively impacted our use of Atlassian. I had to disable anonymous view privileges on wiki spaces that we needed to be exposed to the world (like our Help Desk wiki space).
B. This is a security hole.
- causes
-
-
- Closed
-
-
-
- Closed
-
- is related to
-
CONFSERVER-1134 Permissions for user profiles
- Closed
- relates to
-
-
- Closed
-
-
- Gathering Interest
[CONFSERVER-13276] Restrict anonymous users from viewing user profiles.
Hi Prasad,
1. We are aiming for a mid-year release of Confluence 3.0.
2. This issue is solely about the permission for anonymous user access to user profiles. Your request seems to match with the New Feature requested as CONF-12907 - this is not currently planned for 3.0.
Cheers,
Mark
Prasad Iyer
added a comment - Thanks, Andrew.
Couple of questions:
1. Roughly when would 3.0 be released? We would like to resolve this issue at the earliest before the privacy concerns raised at our institution gets out of hand.
2. Would this new feature also include a global permission that can be set by the Confluence admin to prevent anonymous users from creating pages within a Space?
As of now, this can only be done at the Space admin level and it is quite difficult to detect and regulate an ever increasing number of Spaces created by our users.
Prasad Iyer
added a comment - Thanks, Andrew.
Couple of questions:
1. Roughly when would 3.0 be released? We would like to resolve this issue at the earliest before the privacy concerns raised at our institution gets out of hand.
2. Would this new feature also include a global permission that can be set by the Confluence admin to prevent anonymous users from creating pages within a Space?
As of now, this can only be done at the Space admin level and it is quite difficult to detect and regulate an ever increasing number of Spaces created by our users. Hi Prasad,
This feature will be available in Confluence 3.0.
Regards,
Andrew Lynch
Prasad Iyer
added a comment - Paul, may I know in which version the new anonymous user global permission would be available?
Prasad Iyer
added a comment - Paul, may I know in which version the new anonymous user global permission would be available? A new anonymous user global permission has been added and can be set through the existing 'Global Permissions' admin screen. You should view the various related documentation tasks for further information about this.
The documentation task for the new global permission has been linked. It's CONF-14361.
The documentation task for the RPC methods added for this fix has been linked. It's CONF-14359.
transitioning all public issues that are marked as fixed against internal milestones m1 to m7 to the new fixed-for version 3.0, so they show up better in the changelog. will soon archive all milestones, so these issues would not show up anymore in jira otherwise