Details
-
Bug
-
Resolution: Not a bug
-
Medium
-
None
-
6.0
-
2
-
Severity 2 - Major
-
Description
Summary
Anonymous API access are allowed on on pages that has Anonymous View Permission, even though the 'Allow Anonymous Access to Remote API' setting not ticked
Steps to Reproduce
- Make sure that 'Allow Anonymous Access to Remote API' setting from Confluence Administration > Security Configuration is not ticked
- Make sure that Confluence has Anonymous Access from Confluence Administration > Global Permission
- Create a new space and make sure that the space has Anonymous Access from the Space Tools > Permission
- Create a test page on that space
- Try to access the page using anonymous API access. For example:
$ curl -v http://localhost:8090/rest/api/content/7307283?expand=body.storage
Expected Results
Not getting any response since API is anonymous and does not provide any authentication method.
Actual Results
Getting 200 OK response
Attachments
Issue Links
- relates to
-
CONFSERVER-52716 Be able to restrict anonymous REST API connection when Confluence has Anonymous Access
- Gathering Interest