Details
-
Bug
-
Resolution: Unresolved
-
Low
-
None
-
7.13.2, 7.14.1
-
None
-
2
-
Severity 3 - Minor
-
0
-
Description
Issue Summary
This is reproducible on Data Center: (yes)
Atlassian REST API documentation explains the following end point as a way to remove a user as a watcher from a page.
DELETE http://example.com/confluence/rest/api/user/watch/content/131213?username=jblogs
This end point works for users that are watchers against the said page. However, it does not work if the user does not have permission to view the page. This could happen for example, if a user was originally able to view and edit the page, but then the page was eventually restricted.
Steps to Reproduce
- A user watches a page
- Change the restriction of the page so the above user do not have access to it.
- Run the rest/api/user/watch/content against the user and the content.
Expected Results
The end point removes the user from the contents watch list.
Actual Results
This fails and the following is returned:
"statusCode": 403, "data": { "authorized": false, "valid": true, "allowedInReadOnlyMode": true, "errors": [], "successful": false }, "message": "User not permitted to view content", "reason": "Forbidden"
Workaround
Currently there is no known workaround for this behavior. A workaround will be added here when available