Uploaded image for project: 'Confluence Data Center'
  1. Confluence Data Center
  2. CONFSERVER-7073

Link to restricted pages that don't reveal page space/title - make tinyURLs give 'Page Not Found' if user lacks View permission

XMLWordPrintable

    • We collect Confluence feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see our Implementation of New Features Policy.

      At present, users cannot create links to pages without revealing the page title. If a user wishes to link to a restricted page, they must reveal it's existence. If users wish to maintain private pages as completely secret, the only current workaround is never to link to those pages.

      However, they can use the page's tiny link with a harmless alias to create a completely secret link. For example "The finance team should check out this page" is generic enough to be publicly viewable without compromising security. To implement this, page behaviour for hidden pages should duplicate nonexistent pages:

      1) TinyURL should check page permissions for a user when the TinyURL is accessed and go to 'Page Not Accessible' if 'View' permission is not granted.

      2) Replace TinyURL 'Page Not Found' error with "Page Not Accessible". Current message is "The page you were trying to reach does not exist. You may want to try a search, or browse the site to find the page you were looking for." This should be updated for anonymous viewers:

      "Page Not Accessible
      The page either does not exist, or you must be logged in to view it. You can [login or sign-up for an account here]. Alternatively, you can browse the site for other public pages."

      For logged-in users without View access, the page should state that they may need further permissions:

      "Page Not Accessible
      The page either does not exist, or you do not have permission to view it. If you believe this page exists and you should have permission to access it, please [contact your administrator]. Alternatively, you can browse the site for another page."

            [CONFSERVER-7073] Link to restricted pages that don't reveal page space/title - make tinyURLs give 'Page Not Found' if user lacks View permission

            Matt Ryall added a comment -

            Tiny URL is not designed to intentionally obscure the destination of a link – it is designed to make a link shorter for use in small spaces (e.g. email). Thus, we won't be changing the behaviour of tiny URL specifically with regards to permission checking or responses for failed security checks – the behaviour for tiny URLs will always be the same as if you visited the page directly.

            Then there is the second (and seemingly more popular) problem that users without view permission are confused when they see "Page not found". This issue is better covered by another issue, CONF-9239. I've recommend people who are interested in this issue vote for and watch that one for updates.

            Regards,
            Matt

            Matt Ryall added a comment - Tiny URL is not designed to intentionally obscure the destination of a link – it is designed to make a link shorter for use in small spaces (e.g. email). Thus, we won't be changing the behaviour of tiny URL specifically with regards to permission checking or responses for failed security checks – the behaviour for tiny URLs will always be the same as if you visited the page directly. Then there is the second (and seemingly more popular) problem that users without view permission are confused when they see "Page not found". This issue is better covered by another issue, CONF-9239 . I've recommend people who are interested in this issue vote for and watch that one for updates. Regards, Matt

            Andy Brook (Javahollic Software) added a comment -

            I have have several users of my instance get very confused with "Page Not Found" messages when it could easily be "Page Not Found / Unauthorized to Access Page", trivial change with no API implications. Please fix this. New users should have to 'interpret' error messages they should be self explanatory under all situations!

            Andy Brook (Javahollic Software) added a comment - I have have several users of my instance get very confused with "Page Not Found" messages when it could easily be "Page Not Found / Unauthorized to Access Page", trivial change with no API implications. Please fix this. New users should have to 'interpret' error messages they should be self explanatory under all situations!

            Barry Caruth added a comment -

            The "Page not found" message when a user open's a TinyURL to a page they do not have perrmissions to is confusing.

            The message "Page not accessible" makes much more sense and should definitely link to the login page if they are not already logged in.

            Barry Caruth added a comment - The "Page not found" message when a user open's a TinyURL to a page they do not have perrmissions to is confusing. The message "Page not accessible" makes much more sense and should definitely link to the login page if they are not already logged in.

              Unassigned Unassigned
              david.soul@atlassian.com David Soul [Atlassian]
              Votes:
              3 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: