Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-52360

Security Issue: REST API does not respect 'Allow Anonymous Access to Remote API' setting on pages that has anonymous access

    XMLWordPrintable

Details

    Description

      Summary

      Anonymous API access are allowed on on pages that has Anonymous View Permission, even though the 'Allow Anonymous Access to Remote API' setting not ticked

      Steps to Reproduce

      1. Make sure that 'Allow Anonymous Access to Remote API' setting from Confluence Administration > Security Configuration is not ticked
      2. Make sure that Confluence has Anonymous Access from Confluence Administration > Global Permission
      3. Create a new space and make sure that the space has Anonymous Access from the Space Tools > Permission
      4. Create a test page on that space
      5. Try to access the page using anonymous API access. For example: 
        $ curl -v http://localhost:8090/rest/api/content/7307283?expand=body.storage

      Expected Results

      Not getting any response since API is anonymous and does not provide any authentication method.

      Actual Results

      Getting 200 OK response

      Attachments

        Issue Links

          relates to

          Suggestion - CONFSERVER-52716 Be able to restrict anonymous REST API connection when Confluence has Anonymous Access

          • Gathering Interest

          Activity

            People

              Unassigned Unassigned
              mkhairuliana Monique Khairuliana (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: