Inspect permissions shows incorrect anonymous permissions

XMLWordPrintable

    • Severity 2 - Major

      Issue Summary

      When users have had username clashes, the Inspect Permission feature interpret's "Unknown users'" permissions as anonymous permissions

      Steps to Reproduce

      1. Have a Confluence with an external user directory, and two users, usera and userb.
      2. In Confluence, grant userb individual permission to a space, or global "Can use" permission to the instance. Do not grant anoymous access to the space or globally.
      3. In the external directory, delete userb
      4. Sync confluence with the external directory
      5. Observe that the space/global permissions are still shown, but they are now shown as belonging to "Unknown user"
      6. Rename usera to userb
      7. Observe that the space/global permissions are still shown as belonging to "Unknown user"
      8. Restart Confluence
      9. Use the Inspect permissions screen to check the permissions in the space or globally. Particularly check <anonymous> permissions

      An alternative way to produce this bug is to have multiple external directories that provide different users with the same username.

      Expected Results

      The original userb permission should have no effect on inspect permissions

      Actual Results

      The original userb permission will show as granting anonymous access. This will show both as the permission anonymous users have, and will also be shown as all groups having that access to the space via anonymous access.

      Workaround

      You can use the following query to get a list of spaces and users that have these permissions:

      select s.spacekey, u.user_key, u.username, u.lower_username
from spaces s, spacepermissions sp left join user_mapping u on sp.permusername = u.user_key
where s.spaceid = sp.spaceid
  and u.user_key is not null and u.lower_username is null

      Then visit the space permissions screen for any spaces listed, and, assuming the Unknown users are genuinely obsolete remove the space permissions of the Unknown users. Under most circumstances Unknown user permissions will be obsolete and have no further value. Possible exceptions are if the Confluence instance's user directories have been temporarily rearranged or altered and so the other users will be restored later.

      And restart Confluence. Or disable and enable the "Inspect Permissions - Gatekeeper" plugin.

      This bug is fixed in 7.4.1 and 7.5.0

            Assignee:
            Don Willis
            Reporter:
            Don Willis
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: