Space permissions ignored in list of blog posts by date

XMLWordPrintable

    • 4

      Summary

      Users have the ability to view a list of all blog posts, even from spaces in which they don't have permission to access.

      Steps to Reproduce

      1. Install Confluence 5.7.x
      2. Create two spaces
        • Space A
        • Space B (remove all permissions for confluence-users)
      3. Create a blog post in Space A
      4. Create a blog post in Space B
      5. Create and login as a new regular user
      6. Goto the blog post in Space A
      7. Click the Month in the page breadcrumbs

      Expected Results

      The user should only see the the blog post from Space A listed

      Actual Results

      The user will see both blog posts listed.

      Notes

      1. If the user attempts to view the blog post from Space B, it will give a Page Not Found message as expected
      2. This behavior can also be achieved by going directly to http://<confluencehost>/display/<spacekey>/2015/05 (or any combination of year and day)
      3. This behavior worked as expected in Confluence 5.6.x

        1. CONF-37542-patch.zip
          6 kB

              Assignee:
              Phong Quoc Le (Inactive)
              Reporter:
              Branno (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              12 Start watching this issue

                Created:
                Updated:
                Resolved: