Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-45045

Request Access feature does not notify space administrators as expected

      NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report.

      Problem summary

      According to https://confluence.atlassian.com/display/DOC/Page+Restrictions, the Request Access feature works by notifying users who are able to grant restriction access to a page, using this logic in order:

      1. The last person to edit the page
      2. All non-admin users that can set permissions on the page (given that an admin user can always set permissions)
      3. The page creator
      4. All the space administrators

      Step 4 is failing. No space admins are notified despite space permission settings. What appears to be happening instead is that a single Confluence superuser (i.e. a member of the "confluence-administrators" group) will be notified. If there are more than one user in this group, the first username on this list, sorted alphabetically, will be sent the request access notification. This user does not need to be in a space administrator for the relevant content. In fact, it doesn't matter who is a space admin on that space, as that configuration does not appear to affect the behavior.

      Steps to reproduce

      1. Set up a Confluence
      2. Create 5 users:
        • UserA
        • UserB
        • UserC
        • SuperX - place this user in confluence-administrators group (superuser)
        • SuperY - place this user in confluence-administrators group (superuser)
      3. Create a space with UserA, so that this user is automatically a space admin
      4. Create a page with UserB within this space
      5. Using SuperX, restrict the page so that only SuperX can view it
      6. Using UserC, try to view the page by going to the page URL directly. The user cannot see it, and will be asked to request access. Click through.

      Expected behavior

      UserA receives the notification, because although he is not the page creator or the last person to edit the page, he is a full space admin and can set page restrictions.

      Actual behavior

      SuperX receives the notification, because he is the first superuser alphabetically.

      Now rename SuperX to SuperZ, and repeat step 6. Observe that now SuperY is the one who receives the notification, since that is the first superuser alphabetically.

      Additional notes

      There are actually two parts this is issue:

      • Space admins are being ignored in the Request Access logic
      • Only one admin is notified, not all, as detailed in the documentation

            [CONFSERVER-45045] Request Access feature does not notify space administrators as expected

            Hi everyone,

            Fixing this bug has led to significant rework of the Request Access feature. You can find a summary of what have changed in the release notes: https://confluence.atlassian.com/doc/confluence-6-8-release-notes-946014166.html#Confluence6.8ReleaseNotes-Requestaccessisnow5timesbetter

            Basically two things were updated:

            1. Before the update we always sent one request email. Now we can send from 1 to 5 request emails to different people.
            2. We have changed the rules how email recipients are found. Now we choose them from page contributors and space admins, sort this list and send the emails to the top 5 people.

            Please refer to the link above to find more details. Documentation is going to be updated soon and it will include full information about how the feature works.

            Efim (Inactive) added a comment - Hi everyone, Fixing this bug has led to significant rework of the Request Access feature. You can find a summary of what have changed in the release notes: https://confluence.atlassian.com/doc/confluence-6-8-release-notes-946014166.html#Confluence6.8ReleaseNotes-Requestaccessisnow5timesbetter Basically two things were updated: Before the update we always sent one request email. Now we can send from 1 to 5 request emails to different people. We have changed the rules how email recipients are found. Now we choose them from page contributors and space admins, sort this list and send the emails to the top 5 people. Please refer to the link above to find more details. Documentation is going to be updated soon and it will include full information about how the feature works.

            Minh Tran added a comment -

            A fix for this issue is available to Server and Data Center customers in Confluence 6.8.0
            Upgrade now or check out the Release Notes to see what other issues are resolved.

            Minh Tran added a comment - A fix for this issue is available to Server and Data Center customers in Confluence 6.8.0 Upgrade now or check out the Release Notes to see what other issues are resolved.

            The best workaround we could find was to actually hide the request functionality entirely and provide users with a message to guide them to finding an appropriate person to ask for help. Implementation is to put:

            AJS.$("#page-restricted-container").html( "<p>MESSAGE</p>");
            

            In the End of Body section of Customize HTML.

            Boris Berenberg [Uber] added a comment - The best workaround we could find was to actually hide the request functionality entirely and provide users with a message to guide them to finding an appropriate person to ask for help. Implementation is to put: AJS.$( "#page-restricted-container" ).html( "<p>MESSAGE</p>" ); In the End of Body section of Customize HTML.

            This basically means that a single admin in a large org has to deal with a huge % of access requests. Since this means trying to identify the right people to actually make the decision this turns into an extremely large use of time. The financial impact of this becomes significant very quickly, and as a result I disagree with the prioritization of Low.

            Boris Berenberg [Uber] added a comment - This basically means that a single admin in a large org has to deal with a huge % of access requests. Since this means trying to identify the right people to actually make the decision this turns into an extremely large use of time. The financial impact of this becomes significant very quickly, and as a result I disagree with the prioritization of Low.

              epyshnograev Efim (Inactive)
              rchang Robert Chang
              Affected customers:
              7 This affects my team
              Watchers:
              22 Start watching this issue

                Created:
                Updated:
                Resolved: