Drafts with restrictions appear as pages in the Restricted Pages list of a space

Summary

Applying restrictions to a draft causes it to show up in the Restricted Pages list of a space. The drafts are listed as pages there, which can be confirmed by clicking on the draft entry, it will load the draft in page view mode.

Steps to Reproduce

1. Visit a space
2. Click create and don't type anything to the draft
3. Apply restrictions using the padlock
4. Click close to save the draft
5. Visit Space tools > Permissions > Restrictions

Expected Results

Drafts are not listed on that menu.

Actual Results

Drafts are listed as if they were published pages:

If the draft has no title, it is listed as #webwork.htmlEncode($content.displayTitle) instead of "Untitled".

Notes

This causes confusion as users may think there are corrupted pages on the system, whereas instead, those are just drafts that can have empty titles. Another problem is that this allows an easy "exploit" of the following bug, since clicking on the list item will load the draft as a page with /pages/viewpage.action?pageId=<DRAFTID>

• https://jira.atlassian.com/browse/CONFSERVER-57697

This can then lead to other issues since the user can like, comment, and do other actions that aren't supposed to happen with a draft. That creates inconsistencies on the DB side that can cause issues later while trying to manipulate this object.

Workaround

Either remove the restrictions on such empty drafts or delete them using the following API call:

curl -vvv -S -u <USERNAME>:<PASSWORD> -X DELETE https://<CONFLUENCE-URL>/rest/api/content/<DRAFT-ID>?status=draft | python -mjson.tool