-
Bug
-
Resolution: Won't Fix
-
High
-
None
-
2.5
-
None
-
Standalone Solaris 10 Unix with JDK 1.5
When a group sets the permissions on a page to view and edit only for that group, the admin can view the page by typing in the url. This should not be the case. Many gourps want to post secure information and not allow the admin to view it.
Knowing that the admin could remove the restrictions on the page and view the page is OK since we know that this could be detected. But the ability for them to type in the url to a page and view it isn't acceptable.
I assume this affects all versions that allow page restrictions.
- relates to
-
CONFSERVER-4616 Remove/rework special privileges of confluence-administrators ("superuser") group
- Gathering Interest
Unfortunately, this is a consequence of the implementation of the 'superuser' capabilities of the confluence-administrators group. There are plans to re-organise this part of Confluence, but at the moment administrator users can access restricted pages by typing in the url to the page. This problem only applies to a Confluence administrator, not space administrators.
A space administrator cannot directly see restricted pages, but she can remove the restrictions within her space on the Space Admin tab of the Browse Space page.
Please watch and vote for CONF-4616 which would fix this problem.
Agnes.