Details
-
Bug
-
Resolution: Unresolved
-
Low
-
None
-
5.10.2, 5.10.8, 6.4.3
-
10
-
Severity 3 - Minor
-
2
-
Description
Summary
When consulting restrictions of a child page through the REST API, it returns in an empty response even though it inherits restrictions from the parent page.
Steps to Reproduce
- Create a parent and a child page
- Apply group restrictions to the parent page
- Restrictions are inherited by the child page as expected (see attached screenshot)
- Perform a REST call to check the restrictions of the child:
http://{host}:{port}/{context-path}/rest/api/content/{id}/restriction/byOperation/read
Expected Results
The inherited restrictions are listed, just as they are when you read the parent page restrictions. Output example from the parent page:
{
"operation": "read",
"restrictions": {
"user": {
"results": [
{
"type": "known",
"profilePicture": {
"path": "/{context-path}/images/icons/profilepics/default.png",
"width": 48,
"height": 48,
"isDefault": true
},
"username": "admin",
"displayName": "Admin User [Local]",
"userKey": "ff8080815917ff18015917ff679d0002"
}
],
"start": 0,
"limit": 100,
"size": 1
},
"group": {
"results": [
{
"type": "group",
"name": "confluence-users"
}
],
"start": 0,
"limit": 100,
"size": 1
}
},
"_links": {
"base": "http://{host}:{port}/{context-path}",
"context": "{context-path}",
"self": "http://{host}:{port}/{context-path}/rest/api/content/65575/restriction/byOperation/read"
},
"_expandable": {
"content": "/rest/api/content/65575"
}
}
Actual Results
No restrictions are listed for the child page. Here is the output for the child:
{
"operation": "read",
"restrictions": {
"user": {
"results": [],
"start": 0,
"limit": 100,
"size": 0
},
"group": {
"results": [],
"start": 0,
"limit": 100,
"size": 0
}
},
"_links": {
"base": "http://{host}:{port}/{context-path}",
"context": "{context-path}",
"self": "http://{host}:{port}/{context-path}/rest/api/content/65577/restriction/byOperation/read"
},
"_expandable": {
"content": "/rest/api/content/65577"
}
}
Workaround
Option 1
Consult the parent page to check for restrictions.
Option 2
Run the same request that the web UI does, with a little help of jq and sed commands, then we get the users that have read access to a target page:
ADMIN_USRNAME=admin ADMIN_PWD=admin CONFBASEURL=http://localhost:8090/confluence TGT_PAGEID=6553611 TGT_PAGE_SPCKEY=~admin PARENT_PAGEID=6553609 $ curl -u $ADMIN_USRNAME:$ADMIN_PWD $CONFBASEURL'/pages/getcontentpermissions.action?contentId='$TGT_PAGEID'&parentPageId='$PARENT_PAGEID'&spaceKey='$TGT_PAGE_SPCKEY 2>/dev/null | jq -r '.users[] | select(.report==null) | (.entity.name)' | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/,/g' user001,admin
