Details
-
Suggestion
-
Resolution: Unresolved
-
None
-
None
-
None
-
0
-
Description
Problem Definition
Even after restricting a user's ability to use the people directory or perform a quick search, a user can still use the REST API to locate another user's information:
rest/api/search?cql=text~"a name
Suggested Solution
We cannot restrict the API entirely as Confluence uses the same REST API for it's processes as noted in CONFSERVER-7913: Need ability to limit use of remote API to certain users, or a certain group. However, it would be useful to be able to restrict certain users or groups from receiving user results.
We have the CONFSERVER-7837: People Directory and "controlled" privacy / configure access to People Directory depending on Group membership feature request, however, this feature doesn't include results that can be pulled from the REST API.