Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-55343

"No permission" page should return status 4xx

XMLWordPrintable

    • 1
    • We collect Confluence feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      Problem Definition

      1. Create some page restricted to user A.
      2. Login Confluence with user B.
      3. Access to the page created in step 1.
        Then you will see the "No permission" screen. However it's responded as 200.

      This was confirmed in Confluence 6.8.1.

      Suggested Solution

      It should return 403 forbidden or 404 not found.

      Why this is important

        1. Screen_Shot_2018-04-12_at_9_17_26.png
          Screen_Shot_2018-04-12_at_9_17_26.png
          453 kB

            [CONFSERVER-55343] "No permission" page should return status 4xx

            Sen Geronimo made changes -
            Workflow Original: JAC Suggestion Workflow 4 [ 3563836 ] New: JAC Suggestion Workflow 3 [ 4341102 ]
            Katherine Yabut made changes -
            Workflow Original: JAC Suggestion Workflow 2 [ 3171109 ] New: JAC Suggestion Workflow 4 [ 3563836 ]
            Renan Battaglin made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 449125 ]
            Renan Battaglin made changes -
            Remote Link New: This issue links to "Page (Confluence)" [ 447505 ]

            Renan Battaglin added a comment -

            Hi all,

            Thank you so much for your votes and comments on this suggestion.

            We are beginning greater research on the topic of advanced auditing and would love to hear from you.

            We intend to better understand:

            • What information you need to log and keep about your Atlassian applications and environments
            • What are the questions you need to answer, or specific insights your are looking for when auditing logs

            Responses can be in regard to information that needs to be tracked for internal policies (i.e. security) or compliance standards (i.e. SOC2 or SOX)

            What’s involved in the research:

            • Sessions are 1 hour and conducted over video-conference, so you can participate from anywhere around the globe.
            • After scheduling, you'll receive a calendar invite with a video-conference link.
            • During the research, we'll start with a general chat to get to know you and your company, then try to understand better your auditing needs and even explore some prototypes.
            • As a token of our appreciation, you'll receive an e-gift card worth $100 USD within 5 days of completing your session.

            If you're interested in taking part, please send me an email at rbattaglin@atlassian.com and I'll get in touch. We can't guarantee that all interested parties will be selected but we appreciate your interest in helping us to make auditing in our products satisfy more advanced use cases.

            We look forward to meeting you!

            Cheers,
            Renan Battaglin
            Server and Data Center Team

            Renan Battaglin added a comment - Hi all, Thank you so much for your votes and comments on this suggestion. We are beginning greater research on the topic of advanced auditing and would love to hear from you. We intend to better understand: What information you need to log and keep about your Atlassian applications and environments What are the questions you need to answer, or specific insights your are looking for when auditing logs Responses can be in regard to information that needs to be tracked for internal policies (i.e. security) or compliance standards (i.e. SOC2 or SOX) What’s involved in the research: Sessions are 1 hour and conducted over video-conference, so you can participate from anywhere around the globe. After scheduling, you'll receive a calendar invite with a video-conference link. During the research, we'll start with a general chat to get to know you and your company, then try to understand better your auditing needs and even explore some prototypes. As a token of our appreciation, you'll receive an e-gift card worth $100 USD within 5 days of completing your session. If you're interested in taking part, please send me an email at rbattaglin@atlassian.com and I'll get in touch. We can't guarantee that all interested parties will be selected but we appreciate your interest in helping us to make auditing in our products satisfy more advanced use cases. We look forward to meeting you! Cheers, Renan Battaglin Server and Data Center Team
            Katherine Yabut made changes -
            Workflow Original: JAC Suggestion Workflow [ 3032116 ] New: JAC Suggestion Workflow 2 [ 3171109 ]
            Owen made changes -
            Workflow Original: Confluence Workflow - Public Facing v4 [ 2656325 ] New: JAC Suggestion Workflow [ 3032116 ]

            Yuya Yuasa added a comment -

            We are using Confluence access log and we are considering access audit.
            However, it is impossible to grasp whether access was refused or accessed successfully though accessed from the current log.

            Therefore, in the case of access refusal, please return 403 or 404 by HTTP status code.

            Yuya Yuasa added a comment - We are using Confluence access log and we are considering access audit. However, it is impossible to grasp whether access was refused or accessed successfully though accessed from the current log. Therefore, in the case of access refusal, please return 403 or 404 by HTTP status code.
            SET Analytics Bot made changes -
            Support reference count New: 1
            Nobuyuki Mukai made changes -
            Description Original: h3. Problem Definition
             # Create some page restricted to user A.
             # Login Confluence with user B.
             # Access to the page created in step 1.
             Then you will see the "No permission" screen. However it's responded as 200.

            !Screen_Shot_2018-04-12_at_9_17_26.png|width=680,height=332!
            h3. Suggested Solution

            It should return 403 forbidden or 404 not found.
            h3. Why this is important
             * When thinking of page access audit with [How to Enable User Access Logging|https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html], there's no way to detect "No permission" access attempt.             		New: h3. Problem Definition
             # Create some page restricted to user A.
             # Login Confluence with user B.
             # Access to the page created in step 1.
             Then you will see the "No permission" screen. However it's responded as 200.

            !Screen_Shot_2018-04-12_at_9_17_26.png|width=680,height=332!

            This was confirmed in Confluence 6.8.1.
            h3. Suggested Solution

            It should return 403 forbidden or 404 not found.
            h3. Why this is important
             * When thinking of page access audit with [How to Enable User Access Logging|https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html], there's no way to detect "No permission" access attempt.

              Unassigned Unassigned
              nmukai Nobuyuki Mukai
              Votes:
              3 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated: