Security Issue: REST API does not respect 'Allow Anonymous Access to Remote API' setting on pages that has anonymous access

XMLWordPrintable

    • 2
    • Severity 2 - Major

      Summary

      Anonymous API access are allowed on on pages that has Anonymous View Permission, even though the 'Allow Anonymous Access to Remote API' setting not ticked

      Steps to Reproduce

      1. Make sure that 'Allow Anonymous Access to Remote API' setting from Confluence Administration > Security Configuration is not ticked
      2. Make sure that Confluence has Anonymous Access from Confluence Administration > Global Permission
      3. Create a new space and make sure that the space has Anonymous Access from the Space Tools > Permission
      4. Create a test page on that space
      5. Try to access the page using anonymous API access. For example: 
        $ curl -v http://localhost:8090/rest/api/content/7307283?expand=body.storage

      Expected Results

      Not getting any response since API is anonymous and does not provide any authentication method.

      Actual Results

      Getting 200 OK response

        1. screenshot-1.png
          21 kB

            Assignee:
            Unassigned
            Reporter:
            Monique Khairuliana (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: