Details
-
Bug
-
Resolution: Support Request
-
Highest
-
None
-
4.1.3
-
None
Description
A customer user was able to post a comment to a page under a "Private" Page. Our "Private" Pages have View restrictions to Employees and Contractors only. Customers should not be able to view Private Pages.
Steps to recreate:
1) Log into Confluence as Kevin Barnes.
2) Browse to Office Space.
3) Private folder is not visible.
4) Select a Private Page from "Recently Updated" section.
5) This user is able to access the Page.
Checked Permissions:
- Kevin Barnes is setup as a Customer in Crowd within jira-users, confluence-users, QuickLive Customers and Office Customers groups.
- When a page is specifically restricted, he is not able to view.
- Child pages of restricted pages are visible by either URL or through Recently Updated items.
Immediate Workaround: Removed "Recently Updated" sections from spaces.
Confirmed documentation for Atlassian shows that child pages should inherit View restrictions from parent pages in hierarchy:
"If a page has its 'View' restriction set, that restriction will be inherited by all its children (and their children, and so on)."
http://confluence.atlassian.com/display/DOC/Page+Restrictions
Is this an issue with View Restrictions in Confluence 4.1.3?
Also, we are seeing recent issues with Search Indexing. Could this be related to Search Indexing if indexes are not picking up View Restrictions?
Attachments
Issue Links
- is caused by
-
-
- Closed
-
