Details
-
Bug
-
Resolution: Fixed
-
Medium
-
4.2, 4.2.6
-
None
-
Linux/MySQL
-
4
-
Description
Users that should have no access to restricted pages that adopt restrictions from the parent page are able to upload attachments if they know the page ID.
How to reproduce:
1. Create 2 users, user1 and user2
2. Create a page with user1 and set the page view and edit restrictions to "Me"
3. Create a subpage to this page with user1
4. Correct: Subpage inherits the restrictions, so no one else but user1 can see both pages
5. Send a POST request with user2 to /pages/attachfile.action with a file and the content ID of the parent page
6. Correct: An error occurs because user2 has no permissions to upload attachments
7. Send the same POST request to the content ID of the subpage
8. File is being attached to page :-O
Testet with Confluence 4.2 and 3.5.13