Details
-
Bug
-
Resolution: Unresolved
-
Low
-
None
-
5.8, 5.9, 5.10, No-Version, 6.2.3
-
4
-
Severity 3 - Minor
-
1
-
Description
NOTE: This bug report is for Confluence Server. Using Confluence Cloud? See the corresponding bug report.
Summary
Anonymous/Limited users may see private questions (questions that are linked to a private space) in the Popular tab or in Topics counters.
Note: Limited users are users without permission to view the private space that contains questions.
Environment
- Confluence 5.8.18
- Questions plug in 2.4.11
Steps to Reproduce
- Prepare test scenario:
- enable anonymous user
- add several global questions
- answer them while they are still global and unrestricted
- create a private space
- create and configure a limited user (no view access to the private space)
- restrict visibility of the private space
- move one answered question to the private space
- leave at least one global question as it is
- create a new question and answer it in a private space (same topics as before)
- add the topic "private" to all questions that belong to a private space
- Test Symptom #1 - anonymous/limited users see private questions on popular tab:
- log in with anonymous or limited user
- navigate to questions and observe popular and recent questions tabs
Actual results (anonymous user): In the Popular tab, the anonymous user sees questions that belong to a private space. Clicking on a restricted question redirects the user to the login page. See attached screenshot for example:
Actual results (limited user): In the Popular tab the limited user sees questions that belong to a private space. Clicking on a restricted question redirects the limited user to a "Page Not Found" page.
Expected results: neither anonymous nor limited users should see questions/answers that belong to a private space. This seems to work as expected in the Recent and Unanswered tabs. See attached screenshot for example:
- Test Symptom #2 - anonymous/limited users see topic counters that include private questions when browsing questions by topic:
- log in with anonoymouse or limited user
- navigate to questions > Topics
- Click on "private" topic
Actual results (anonymous/limited users): Even though the "private" topic has a counter indicating a number of questions greater than 0, clicking on that topic leads the user to a potentially empty page. See attached screenshots below for an example of "private" topic leading the user to an empty page:
Expected results: The topic counter should not lead users to empty pages. Ideally the counters would include only questions that are visible to the current user.
Notes
When anonymous/limited users click on the private question link, they are prompted for credentials or redirected to a "page not found". Therefore, this bug report was raised with "Minor" symptom severity.
Workaround
- Create the questions directly in a private space to avoid symptom#1 (symptom #2 still happens).
- I could not find a way to "fix" view permissions whenever symptom#1 is observed.
Attachments
Issue Links
- is duplicated by
-
CONFSERVER-52763 Users if mentioned receive emails with answers/comments on questions in a restricted space they don't have permissions to view
- Closed
- relates to
-
CONFCLOUD-47192 Users without view permission to a private space may still see private questions in Popular tab or Topic counters
- Closed