-
Bug
-
Resolution: Fixed
-
Medium
-
5.6, 5.7, 5.8, 5.9.1, 5.8.10, 5.9.10, 5.8.13, 5.8.14, 5.9.12
-
42
-
Severity 2 - Major
-
In Confluence 5.6.x, member of "confluence-administrators" group can click "Edit" button and start editing the page. They receive a "Not Permitted" page when "Save" button is clicked.
If the "Close" button is clicked instead (to exit the editor without saving), a blank page will be returned instead.
Steps to replicate
- Make User B as the member of confluence-administrators group
- User A creates a page and applies a restriction to a specific group
- User B is Not a member of that group but Is a Space Administrator for the space
- User B goes to the page and the edit function is enabled
- User B Clicks Edit and starts to make changes
- User B finishes making changes to the page and clicks Save (which is enabled)
- User B gets the message "You are not permitted to perform this operation"
Other Steps to replicate
- Make User A as the member of confluence-administrators group
- User A creates a space and makes User B the only Space Administrator
- User A goes to the page and the edit function is enabled
- User A Clicks Edit and starts to make changes
- User A finishes making changes to the page and clicks Save (which is enabled)
- User A gets the message "You are not permitted to perform this operation"
- User A gets blank page below main Confluence top navigation bar when clicking Close after entering editor.
Workarounds
There are a few workarounds to this, and reasons why we don't see this bug as critical:
- Most importantly, Atlassian recommends not using your administration account for regular use of Confluence. Create separate admin and user accounts instead.
- Use your admin powers to grant yourself permission to edit the page (at space and page level as required), then edit the page again.
- Use the back button to get back to your changes and copy/paste them for saving as a user that is explicitly permitted to edit the page. (If the back button doesn't work in your scenario, please raise a ticket with steps to reproduce - we'd like to fix this.)
- Until CONF-4616 is fixed, grant administrators "System Administration" permission but do not put them in the "confluence-administrators" group if you do not wish them to have access to all content in your system. (This is in relation to the original bug.)
- causes
-
-
- Gathering Impact
-
- is duplicated by
-
-
- Closed
-
-
-
- Closed
-
- is related to
-
-
- Closed
-
- relates to
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
-
-
- Gathering Impact
-
-
-
- Gathering Impact
-
-
CONFSERVER-4616 Remove/rework special privileges of confluence-administrators ("superuser") group
- Gathering Interest