Issue Summary
Normally Confluence doesn't let create group names by using upper-case. However, this check doesn't apply when the group names are synchronized from an LDAP server. So the group names with all upper-case or mixed upper-case and lower-case are allowed to be synchronized from LDAP servers.
When setting page restrictions via the below REST API for the group names with mixed upper-case and lower-case, these pages can be viewed by the member of these groups, however, they are not searchable through the search section.
REST API:
<confluence-base-url>/rest/experimental/content/<pageId>/restriction
This is reproducible on Data Center: (yes)
Steps to Reproduce
- Set up Confluence with an AD.
- Create a group with a fix of upper and lower case names (e.g. AbCd) or generally have uppercase characters.
- Create a page.
- Use the REST API to update the page restrictions with the group name.
<confluence-base-url>/rest/experimental/content/<pageId>/restriction
[
{
"operation": "update",
"restrictions": {
"group": [],
"user": [
{
"type": "user",
"username": "admin"
}
]
},
"operation": "read",
"restrictions": {
"user": [
{
"type": "user",
"username": "admin"
}
],
"group": [
{
"type": "group",
"name": "AbCd"
}
]
}
}
]
Expected Results
The related restricted pages should be both viewable and searchable by the member of the groups that contain a mix of upper-case and lower-case characters.
Actual Results
The related restricted pages are viewable but they are not searchable by the member of the groups that contain a mix of upper-case and lower-case characters.
Workaround
Using Confluence UI to restrict the pages for the related groups instead of REST API.
Bug
Low
VULN-1074826 Failed to load