Details
-
Suggestion
-
Resolution: Unresolved
-
None
-
1
-
2
-
Description
Current Scenario
When any user is managing the Page Restrictions from the web UI they are forcibly included in the page restriction before making any modification.
See the example below:
- Logged user: admin002
- Current page restrictions:
- admin002 clicks on the padlock in the page view mode.
- admin002 is compulsorily added to the restrictions of that page and cannot remove himself.
This may be fine for regular users of Confluence, but should not be applied to administrators that are part of the confluence-administrators group.
Consider the following example:
- admin002 is hired as a Confluence administrator and added to confluence-administrators group.
- There is a Space which is opened to every user.
- admin002 receives a request to add user001 as an editor of the above page.
- admin002 should not be an editor of this page, but will have access to it, since he is included in the confluence-administrators group.
- While adding user001 as and editor of that page, restrictions to admin002 is automatically added too.
- admin002 moves to another role within the organization and is removed from the confluence-administrators group.
- admin discovers about the above and removes admin002 access to that page.
- Now admin has direct access to the restricted page.
In the above example, the Confluence administrator should have the option to change the page restrictions without being forcibly added to it.
The same problem occurs if trying the experimental REST API method /rest/experimental/content/<page ID>/restriction/byOperation/read/user?userName=<user name> as a Confluence administrator, but without direct access to the content, then you cannot change the restrictions.
See the REST API error below.
{ "statusCode": 400, "data": { "authorized": true, "valid": false, "errors": [ { "message": { "translation": "Provided ContentRestrictions evicts current user (you) from: [read]. Must include yourself in \"user\" sections for READ and/or UPDATE when restricting those operations. Must not provide restrictions which when applied result in current situation.", "args": [] } } ], "successful": false }, "message": "Provided ContentRestrictions evicts current user (you) from: [read]. Must include yourself in \"user\" sections for READ and/or UPDATE when restricting those operations. Must not provide restrictions which when applied result in current situation." }
This also doesn't take into consideration if the user performing a change on the page restriction is part of a group that is already added in the restriction.
Consider the following example:
- admin002 is part of group confluence-users.
- confluence-users has a view/edit restriction to a certain page.
- To make any modification on the page restriction, admin002 will be compulsorily added to it, without taking into consideration the group based restriction.
Expected Scenario
Based on the current scenario described above, this is what is expected as a Confluence design:
- If a user is part of the confluence-administrators, they should not be compulsorily added to the page restrictions when modifying it from the web UI.
- In addition to this, it should not require a direct restriction to be in place when using the REST API.
- If a user is part of a group that is already in the page restrictions, the user shouldn't need a direct restriction to make modifications to it.
- The same should apply to REST API calls, effective group restrictions should be taken into account.
Workaround
There are two known workarounds to this issue, which are described below.
Page Information
This only works if you need to remove a restriction. It doesn't work if you need to include one.
As Confluence or Space administrator do the following:
- Access the Page Information page.
- In the Page Permissions section, click on the padlock on the side of the restriction you want to remove.
JSON RPC API
While the REST API doesn't have all the necessary methods implemented, the deprecated RPC API is still bundled with Confluence.
Before using it, make sure it is enabled.
Consider using these two JSON-RPC API methods to change the restrictions of a certain page:
- getContentPermissionSet(String token, String contentId, String permissionType)
returns the set of permissions on a page as a map of type to a list of ContentPermission, for the type of permission which is either ‘View’ or ‘Edit’
- setContentPermissions(String token, String contentId, String permissionType, Vector permissions)
sets the page-level permissions for a particular permission type (either ‘View’ or ‘Edit’) to the provided vector of ContentPermissions. If an empty list of permissions are passed, all page permissions for the given type are removed. If the existing list of permissions are passed, this method does nothing.
Setting page restriction with method setContentPermissions does not require to explicitly add yourself in the restriction and can be made by the Confluence administrator.