[CONFSERVER-28946] Anonymous space permission allows non-permissioned groups to access space, when global permissions are set to prevent anonymous access

Type: Bug
Resolution: Fixed
Priority: Low
Fix Version/s: 7.4.10, 7.12.3, 7.13.0
Affects Version/s: 5.1-OD-4, 5.8.5, 5.8.14, 6.15.6, 7.2.1, 7.3.5
Component/s: User - Global / Space Permissions
Labels:
Environment:

OnDemand, BTF

Fixed in Long Term Support Release/s:

Download 7.4
Support reference count:
14
Symptom Severity:
Severity 2 - Major
UIS:
11
Bug Fix Policy:
View Atlassian Server bug fix policy

NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report.

The Space Admin functionality allows a space to have 'Anonymous Access' allowed and displays the following warning:

WARNING
Anonymous users will not be able to view this space, because they have not been granted the global ‘Use Confluence’ permission. You can grant anonymous access to Confluence from global permissions.

The global permissions of the Confluence environment prevents anonymous users from accessing Confluence.

However, a user that is permissioned to Confluence but does not belong to a group that is currently permissioned to the space is now able to access the space. Examples of this behaviour have been attached.

Removing the anonymous flag from the space will then prevent this user from being able to access the space. You can use the following query to identify spaces with Anonymous permissions enabled:

SELECT spacename, 
       spacekey 
FROM   spaces 
WHERE  spaceid IN (SELECT spaceid 
                   FROM   spacepermissions 
                   WHERE  permgroupname IS NULL 
                          AND permusername IS NULL);

Cheers,
Paul

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List

adding_comment_on_space.jpeg
365 kB
15/Apr/2013 11:53 PM
global_permissions.jpeg
326 kB
15/Apr/2013 11:53 PM
profile_only_users_group.jpeg
45 kB
15/Apr/2013 11:53 PM
space_permissions.jpeg
481 kB
15/Apr/2013 11:53 PM

is caused by

CONFSERVER-4955 Confluence users should inherit permissions from the anonymous user

Closed

is duplicated by

CONFCLOUD-53769 Authenticated users inherit anonymous access space permissions with public access disabled.

Closed

is related to

CONFSERVER-40790 Space anonymous permissions having effects

Closed

CONFSERVER-40487 If public is disabled public access space permissions should bet set to default.

Closed

CONFSERVER-11553 Improve the explanations for Not Permitted error

Gathering Interest

relates to

CONFSERVER-38298 Anonymous space permission allows anyone who logged-in to access space, even when global permissions are set to prevent anonymous access

Closed

CONFCLOUD-28946 Anonymous space permission allows non-permissioned groups to access space, when global permissions are set to prevent anonymous access

Gathering Interest

PSR-630 Loading...

mentioned in: Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...; Page Loading...

(3 relates to, 7 mentioned in)

Jiri Hronik added a comment - 17/Aug/2021 12:40 AM

A fix for this issue is available to Server and Data Center customers in Confluence 7.13.0
Upgrade now or check out the Release Notes to see what other issues are resolved.

Jiri Hronik added a comment - 17/Aug/2021 12:40 AM A fix for this issue is available to Server and Data Center customers in Confluence 7.13.0 Upgrade now or check out the Release Notes to see what other issues are resolved.

Jiri Hronik added a comment - 02/Aug/2021 12:38 AM

A fix for this issue is available to Server and Data Center customers in Confluence 7.4.10
Upgrade now or check out the Release Notes to see what other issues are resolved.

Jiri Hronik added a comment - 02/Aug/2021 12:38 AM A fix for this issue is available to Server and Data Center customers in Confluence 7.4.10 Upgrade now or check out the Release Notes to see what other issues are resolved.

Mahesh Swami added a comment - 13/Jul/2021 10:56 PM

A solution has been implemented to eliminate the lack of clarity around this feature by -

1. Displaying a clearer description/message about the feature on the Space permissions screen for the Confluence Admin
2. Displaying a clearer description/message about the feature on the Space tools screen for the space Admin

The description would clearly mention that the "anonymous" permissions apply to "all the logged in users".

Mahesh Swami added a comment - 13/Jul/2021 10:56 PM A solution has been implemented to eliminate the lack of clarity around this feature by - 1. Displaying a clearer description/message about the feature on the Space permissions screen for the Confluence Admin 2. Displaying a clearer description/message about the feature on the Space tools screen for the space Admin The description would clearly mention that the "anonymous" permissions apply to "all the logged in users".

msilberman@arlo.com added a comment - 13/May/2021 5:04 PM

In our Confluence Data Center we need to be able to isolate spaces from partners we provide login access to. The site is only accessible from our internal network, so anonymous is unnecessary. We do need to allow a user to create and manage the access permissions themselves, so it is critical for our site security that permissions work as expected. This issue allows someone to unwittingly set anonymous access which then posts the warning that it is not going to work because Global setting overrides it. But, it doesn't alert them to the issue that they've now enabled access to all users unintentionally. This is a serious security flaw. Is there any work around to remove anonymous or disable setting it?

msilberman@arlo.com added a comment - 13/May/2021 5:04 PM In our Confluence Data Center we need to be able to isolate spaces from partners we provide login access to. The site is only accessible from our internal network, so anonymous is unnecessary. We do need to allow a user to create and manage the access permissions themselves, so it is critical for our site security that permissions work as expected. This issue allows someone to unwittingly set anonymous access which then posts the warning that it is not going to work because Global setting overrides it. But, it doesn't alert them to the issue that they've now enabled access to all users unintentionally. This is a serious security flaw. Is there any work around to remove anonymous or disable setting it?

Thomas Weißschuh added a comment - 06/Nov/2019 2:20 PM

It may be enough to change the wording on the space admin page.
Instead of calling it "Anonymous Access" call it "Global Access" or "General Access".

and/or:

When a user is using Confluence while not logged in, they are using it anonymously. ->
When a user is using Confluence while not logged in or not having any more specific permission assigned, they are using it under global access.

Thomas Weißschuh added a comment - 06/Nov/2019 2:20 PM It may be enough to change the wording on the space admin page. Instead of calling it "Anonymous Access" call it "Global Access" or "General Access". and/or: When a user is using Confluence while not logged in, they are using it anonymously. -> When a user is using Confluence while not logged in or not having any more specific permission assigned, they are using it under global access.

Robert Chang added a comment - 28/Nov/2017 10:31 PM - edited

The current behavior:

Global-level anonymous access	Space-level anonymous access	Result	Working as expected?
Enabled	Enabled	Anonymous + all authenticated users can view space	No, since authenticated users should not be considered "anonymous"
Enabled	Disabled	Only specific permitted groups/users can view space. Anonymous users cannot view space	Yes
Disabled	Enabled	All authenticated users can view space. Anonymous users cannot view space	No, since authenticated users should not be considered "anonymous"
Disabled	Disabled	Only specific permitted groups/users can view space. Anonymous users cannot view space	Yes

How to potentially clarify this behavior:

If Anonymous is enabled globally, on the Space Permissions pane it should say "All authenticated + unauthenticated users"
If Anonymous is disabled globally, on the Space Permissions pane it should say "All authenticated users"

Robert Chang added a comment - 28/Nov/2017 10:31 PM - edited The current behavior: Global-level anonymous access Space-level anonymous access Result Working as expected? Enabled Enabled Anonymous + all authenticated users can view space No, since authenticated users should not be considered "anonymous" Enabled Disabled Only specific permitted groups/users can view space. Anonymous users cannot view space Yes Disabled Enabled All authenticated users can view space. Anonymous users cannot view space No, since authenticated users should not be considered "anonymous" Disabled Disabled Only specific permitted groups/users can view space. Anonymous users cannot view space Yes How to potentially clarify this behavior: If Anonymous is enabled globally, on the Space Permissions pane it should say "All authenticated + unauthenticated users" If Anonymous is disabled globally, on the Space Permissions pane it should say "All authenticated users"

Ed Scharrer added a comment - 15/Jul/2015 5:06 AM

Sergey: This applies to BTF/Server instances, too

Ed Scharrer added a comment - 15/Jul/2015 5:06 AM Sergey: This applies to BTF/Server instances, too

Ed Scharrer added a comment - 15/Jul/2015 5:04 AM

I wonder why this has LOW priority, this is a SECURITY issue and should be treated with HIGHEST priority

Ed Scharrer added a comment - 15/Jul/2015 5:04 AM I wonder why this has LOW priority, this is a SECURITY issue and should be treated with HIGHEST priority

Sergey Svishchev added a comment - 24/Jun/2014 10:02 AM

Does this apply only to OnDemand instances?

Sergey Svishchev added a comment - 24/Jun/2014 10:02 AM Does this apply only to OnDemand instances?

Assignee:: Mahesh Swami

Reporter:: Paul Greig

Affected customers:: 31 This affects my team

Watchers:: 48 Start watching this issue

Created:: 15/Apr/2013 11:53 PM

Updated:: 25/Feb/2025 8:12 AM

Resolved:: 13/Jul/2021 10:57 PM

Confluence Data Center

Details

Description

Attachments

Attachments

Issue Links

Forms

Activity

Collapse comment: Jiri Hronik added a comment - 17/Aug/2021 12:40 AM

Expand comment: Jiri Hronik added a comment - 17/Aug/2021 12:40 AM

Collapse comment: Jiri Hronik added a comment - 02/Aug/2021 12:38 AM

Expand comment: Jiri Hronik added a comment - 02/Aug/2021 12:38 AM

Collapse comment: Mahesh Swami added a comment - 13/Jul/2021 10:56 PM

Expand comment: Mahesh Swami added a comment - 13/Jul/2021 10:56 PM

Collapse comment: msilberman@arlo.com added a comment - 13/May/2021 5:04 PM

Expand comment: msilberman@arlo.com added a comment - 13/May/2021 5:04 PM

Collapse comment: Thomas Weißschuh added a comment - 06/Nov/2019 2:20 PM

Expand comment: Thomas Weißschuh added a comment - 06/Nov/2019 2:20 PM

Collapse comment: Robert Chang added a comment - 28/Nov/2017 10:31 PM, Edited by Robert Chang - 28/Nov/2017 11:06 PM

How to potentially clarify this behavior:

Expand comment: Robert Chang added a comment - 28/Nov/2017 10:31 PM, Edited by Robert Chang - 28/Nov/2017 11:06 PM

Collapse comment: Ed Scharrer added a comment - 15/Jul/2015 5:06 AM

Expand comment: Ed Scharrer added a comment - 15/Jul/2015 5:06 AM

Collapse comment: Ed Scharrer added a comment - 15/Jul/2015 5:04 AM

Expand comment: Ed Scharrer added a comment - 15/Jul/2015 5:04 AM

Collapse comment: Sergey Svishchev added a comment - 24/Jun/2014 10:02 AM

Expand comment: Sergey Svishchev added a comment - 24/Jun/2014 10:02 AM

People

Dates