-
Bug
-
Resolution: Unresolved
-
Low
-
None
-
7.18.1
-
None
-
7
-
Severity 3 - Minor
-
1
-
Issue Summary
Normally Confluence doesn't let create group names by using upper-case. However, this check doesn't apply when the group names are synchronized from an LDAP server. So the group names with all upper-case or mixed upper-case and lower-case are allowed to be synchronized from LDAP servers.
When setting page restrictions via the below REST API for the group names with mixed upper-case and lower-case, these pages can be viewed by the member of these groups, however, they are not searchable through the search section.
REST API:
<confluence-base-url>/rest/experimental/content/<pageId>/restriction
This is reproducible on Data Center: (yes)
Steps to Reproduce
- Set up Confluence with an AD.
- Create a group with a fix of upper and lower case names (e.g. AbCd) or generally have uppercase characters.
- Create a page.
- Use the REST API to update the page restrictions with the group name.
<confluence-base-url>/rest/experimental/content/<pageId>/restriction [ { "operation": "update", "restrictions": { "group": [], "user": [ { "type": "user", "username": "admin" } ] }, "operation": "read", "restrictions": { "user": [ { "type": "user", "username": "admin" } ], "group": [ { "type": "group", "name": "AbCd" } ] } } ]
Expected Results
The related restricted pages should be both viewable and searchable by the member of the groups that contain a mix of upper-case and lower-case characters.
Actual Results
The related restricted pages are viewable but they are not searchable by the member of the groups that contain a mix of upper-case and lower-case characters.
Workaround
Using Confluence UI to restrict the pages for the related groups instead of REST API.
- follows
-
VULN-1074826 Failed to load