Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-28946

Anonymous space permission allows non-permissioned groups to access space, when global permissions are set to prevent anonymous access

      NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report.

      The Space Admin functionality allows a space to have 'Anonymous Access' allowed and displays the following warning:

      WARNING
      Anonymous users will not be able to view this space, because they have not been granted the global ‘Use Confluence’ permission. You can grant anonymous access to Confluence from global permissions.

      The global permissions of the Confluence environment prevents anonymous users from accessing Confluence.

      However, a user that is permissioned to Confluence but does not belong to a group that is currently permissioned to the space is now able to access the space. Examples of this behaviour have been attached.

      Removing the anonymous flag from the space will then prevent this user from being able to access the space. You can use the following query to identify spaces with Anonymous permissions enabled:

      SELECT spacename, 
             spacekey 
      FROM   spaces 
      WHERE  spaceid IN (SELECT spaceid 
                         FROM   spacepermissions 
                         WHERE  permgroupname IS NULL 
                                AND permusername IS NULL); 
      

      Cheers,
      Paul

        1. adding_comment_on_space.jpeg
          adding_comment_on_space.jpeg
          365 kB
        2. global_permissions.jpeg
          global_permissions.jpeg
          326 kB
        3. profile_only_users_group.jpeg
          profile_only_users_group.jpeg
          45 kB
        4. space_permissions.jpeg
          space_permissions.jpeg
          481 kB

            [CONFSERVER-28946] Anonymous space permission allows non-permissioned groups to access space, when global permissions are set to prevent anonymous access

            A fix for this issue is available to Server and Data Center customers in Confluence 7.13.0
            Upgrade now or check out the Release Notes to see what other issues are resolved.

            Jiri Hronik added a comment - A fix for this issue is available to Server and Data Center customers in Confluence 7.13.0 Upgrade now or check out the Release Notes to see what other issues are resolved.

            A fix for this issue is available to Server and Data Center customers in Confluence 7.4.10
            Upgrade now or check out the Release Notes to see what other issues are resolved.

            Jiri Hronik added a comment - A fix for this issue is available to Server and Data Center customers in Confluence 7.4.10 Upgrade now or check out the Release Notes to see what other issues are resolved.

            A solution has been implemented to eliminate the lack of clarity around this feature by -

            1. Displaying a clearer description/message about the feature on the Space permissions screen for the Confluence Admin
            2. Displaying a clearer description/message about the feature on the Space tools screen for the space Admin

            The description would clearly mention that the "anonymous" permissions apply to "all the logged in users".

            Mahesh Swami added a comment - A solution has been implemented to eliminate the lack of clarity around this feature by - 1. Displaying a clearer description/message about the feature on the Space permissions screen for the Confluence Admin 2. Displaying a clearer description/message about the feature on the Space tools screen for the space Admin The description would clearly mention that the "anonymous" permissions apply to "all the logged in users".

            In our Confluence Data Center we need to be able to isolate spaces from partners we provide login access to. The site is only accessible from our internal network, so anonymous is unnecessary. We do need to allow a user to create and manage the access permissions themselves, so it is critical for our site security that permissions work as expected. This issue allows someone to unwittingly set anonymous access which then posts the warning that it is not going to work because Global setting overrides it. But, it doesn't alert them to the issue that they've now enabled access to all users unintentionally. This is a serious security flaw. Is there any work around to remove anonymous or disable setting it?

            msilberman@arlo.com added a comment - In our Confluence Data Center we need to be able to isolate spaces from partners we provide login access to. The site is only accessible from our internal network, so anonymous is unnecessary. We do need to allow a user to create and manage the access permissions themselves, so it is critical for our site security that permissions work as expected. This issue allows someone to unwittingly set anonymous access which then posts the warning that it is not going to work because Global setting overrides it. But, it doesn't alert them to the issue that they've now enabled access to all users unintentionally. This is a serious security flaw. Is there any work around to remove anonymous or disable setting it?

            It may be enough to change the wording on the space admin page.
            Instead of calling it "Anonymous Access" call it "Global Access" or "General Access".

            and/or:

            When a user is using Confluence while not logged in, they are using it anonymously. ->
            When a user is using Confluence while not logged in or not having any more specific permission assigned, they are using it under global access.

            Thomas Weißschuh added a comment - It may be enough to change the wording on the space admin page. Instead of calling it "Anonymous Access" call it "Global Access" or "General Access". and/or: When a user is using Confluence while not logged in, they are using it anonymously. -> When a user is using Confluence while not logged in or not having any more specific permission assigned, they are using it under global access.

            Robert Chang added a comment - - edited

            The current behavior:

            Global-level anonymous access Space-level anonymous access Result Working as expected?
            Enabled Enabled Anonymous + all authenticated users can view space No, since authenticated users should not be considered "anonymous"
            Enabled Disabled Only specific permitted groups/users can view space. Anonymous users cannot view space Yes
            Disabled Enabled All authenticated users can view space. Anonymous users cannot view space No, since authenticated users should not be considered "anonymous"
            Disabled Disabled Only specific permitted groups/users can view space. Anonymous users cannot view space Yes

            How to potentially clarify this behavior:

            • If Anonymous is enabled globally, on the Space Permissions pane it should say "All authenticated + unauthenticated users"
            • If Anonymous is disabled globally, on the Space Permissions pane it should say "All authenticated users"

            Robert Chang added a comment - - edited The current behavior: Global-level anonymous access Space-level anonymous access Result Working as expected? Enabled Enabled Anonymous + all authenticated users can view space No, since authenticated users should not be considered "anonymous" Enabled Disabled Only specific permitted groups/users can view space. Anonymous users cannot view space Yes Disabled Enabled All authenticated users can view space. Anonymous users cannot view space No, since authenticated users should not be considered "anonymous" Disabled Disabled Only specific permitted groups/users can view space. Anonymous users cannot view space Yes How to potentially clarify this behavior: If Anonymous is enabled globally, on the Space Permissions pane it should say "All authenticated + unauthenticated users" If Anonymous is disabled globally, on the Space Permissions pane it should say "All authenticated users"

            Sergey: This applies to BTF/Server instances, too

            Ed Scharrer added a comment - Sergey: This applies to BTF/Server instances, too

            I wonder why this has LOW priority, this is a SECURITY issue and should be treated with HIGHEST priority

            Ed Scharrer added a comment - I wonder why this has LOW priority, this is a SECURITY issue and should be treated with HIGHEST priority

            Does this apply only to OnDemand instances?

            Sergey Svishchev added a comment - Does this apply only to OnDemand instances?

              mswami@atlassian.com Mahesh Swami
              pgreig Paul Greig
              Affected customers:
              31 This affects my team
              Watchers:
              48 Start watching this issue

                Created:
                Updated:
                Resolved: