Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-59513

Inspect permissions and people who can view ignore parents of nested groups


      Issue Summary

      The new Inspect permissions feature does not respect nested groups. This also applies to the "people who can view" feature.

      Steps to Reproduce

      1. Use an external user directory server
      2. Have a user who is directly in group ChildGroup, which is a child group of ParentGroup
      3. Ensure the user is known to confluence, e.g. by logging in as them.
      4. Give ParentGroup permission to do something in Confluence. E.g. give ParentGroup access to view pages in a space
      5. Inspect permissions for the user

      Expected Results

      The permissions for the user should show that the user gets permissions from ParentGroup

      Actual Results

      The permissions for the user disregard permissions from ParentGroup

      Impact & Workaround

      To check if you are impacted by this issue, please run the following query on your database:

      select s.spacekey as "SPACE KEY", parent.group_name as "PARENT GROUP WITH PERMISSIONS",  child_group.group_name as "CHILD GROUP"
      from cwd_membership m, cwd_group parent, cwd_group child_group, spacepermissions perms left join spaces s ON perms.spaceid = s.spaceid
      where m.child_group_id is not null
        and m.parent_id = parent.id
        and m.child_group_id = child_group.id
        and parent.group_name = perms.permgroupname
        group by parent.group_name, s.spacekey, child_group.group_name;

      If this query returns one or more results, then you are impacted and permissions assigned to the resulting parent/intermediate groups won’t be recognised by the People who can view or Inspect permissions features.
      Please note that this doesn’t mean that these permissions aren’t enforced, it just means that the Inspect permissions and People who can view features will not reflect them.
      If you are impacted by this issue, we recommend you go to Manage Apps and temporarily disable the Inspect Permissions - Gatekeeper system app. This will disable the People who can view and Inspect Permissions features, and prevent users and admins relying on information that is incorrect.

            don.willis@atlassian.com Don Willis
            don.willis@atlassian.com Don Willis
            2 Vote for this issue
            16 Start watching this issue