Reading restrictions of Child pages through the REST API results in an empty response

XMLWordPrintable

    • 10
    • Severity 3 - Minor
    • 2

      Summary

      When consulting restrictions of a child page through the REST API, it returns in an empty response even though it inherits restrictions from the parent page.

      Steps to Reproduce

      1. Create a parent and a child page
      2. Apply group restrictions to the parent page
      3. Restrictions are inherited by the child page as expected (see attached screenshot)
      4. Perform a REST call to check the restrictions of the child: 
      http://{host}:{port}/{context-path}/rest/api/content/{id}/restriction/byOperation/read

      Expected Results

      The inherited restrictions are listed, just as they are when you read the parent page restrictions. Output example from the parent page:

      {
"operation": "read",
"restrictions": {
"user": {
"results": [
{
"type": "known",
"profilePicture": {
"path": "/{context-path}/images/icons/profilepics/default.png",
"width": 48,
"height": 48,
"isDefault": true
},
"username": "admin",
"displayName": "Admin User [Local]",
"userKey": "ff8080815917ff18015917ff679d0002"
}
],
"start": 0,
"limit": 100,
"size": 1
},
"group": {
"results": [
{
"type": "group",
"name": "confluence-users"
}
],
"start": 0,
"limit": 100,
"size": 1
}
},
"_links": {
"base": "http://{host}:{port}/{context-path}",
"context": "{context-path}",
"self": "http://{host}:{port}/{context-path}/rest/api/content/65575/restriction/byOperation/read" 
}, 
"_expandable": { 
"content": "/rest/api/content/65575" 
} 
}

      Actual Results

      No restrictions are listed for the child page. Here is the output for the child:

      {
"operation": "read",
"restrictions": {
"user": {
"results": [],
"start": 0,
"limit": 100,
"size": 0
},
"group": {
"results": [],
"start": 0,
"limit": 100,
"size": 0
}
},
"_links": {
"base": "http://{host}:{port}/{context-path}",
"context": "{context-path}",
"self": "http://{host}:{port}/{context-path}/rest/api/content/65577/restriction/byOperation/read"
},
"_expandable": {
"content": "/rest/api/content/65577"
}
}

      Workaround

      Option 1

      Consult the parent page to check for restrictions.

      Option 2

      Run the same request that the web UI does, with a little help of jq and sed commands, then we get the users that have read access to a target page:

      ADMIN_USRNAME=admin
ADMIN_PWD=admin
CONFBASEURL=http://localhost:8090/confluence
TGT_PAGEID=6553611
TGT_PAGE_SPCKEY=~admin
PARENT_PAGEID=6553609

$ curl -u $ADMIN_USRNAME:$ADMIN_PWD $CONFBASEURL'/pages/getcontentpermissions.action?contentId='$TGT_PAGEID'&parentPageId='$PARENT_PAGEID'&spaceKey='$TGT_PAGE_SPCKEY 2>/dev/null | jq -r '.users[] | select(.report==null) | (.entity.name)' | sed -e ':a' -e 'N' -e '$!ba' -e 's/\n/,/g'
user001,admin

        1. Inherited-Restrictions.png
          Inherited-Restrictions.png
          68 kB

            Assignee:
            Unassigned
            Reporter:
            Bernardo Andreeti
            Votes:
            4 Vote for this issue
            Watchers:
            11 Start watching this issue

              Created:
              Updated: