-
Bug
-
Resolution: Unresolved
-
Medium
-
None
-
8.5.16, 8.5.17
-
6
-
Severity 3 - Minor
-
22
-
Issue Summary
When sending a GET request to the endpoint /rest/api/group/<GROUP_NAME>/member, the application responds with a "Client must be authenticated to access this resource". Even if the user is authenticated.
For example, using cURL:
curl -u test:test https://<BASE_ULR>/confluence/rest/api/group/confluence-users/member <?xml version="1.0" encoding="UTF-8" standalone="yes"?><status><status-code>401</status-code><message>Client must be authenticated to access this resource.</message></status>%
This response message is not accurate, since the request failed due to a lack of permissions, the user "test" is part of "confluence-users", and doesn't have administrative permissions.
This issue may affect some other endpoints.
Steps to Reproduce
Send a GET request to the endpoint /rest/api/group/<GROUP_NAME>/member, using a normal user (non-admin).
Confluence version: 8.5.x (LTS)
Expected Results
A 403 response with a more specific message such as the following one, which is already used on other endpoints:
"The request has not been applied to the target resource because it lacks valid authentication credentials for that resource."
Obs: On version 9.1.x, the message is:
Actual Results
Currently, we receive a 401 status code and the following message, if the user doesn't have permission to access the endpoint:
"Client must be authenticated to access this resource".
Workaround
Currently, there is no known workaround for this behavior. A workaround will be added here when available.
A possible solution is to upgrade Confluence to 9.1.x.
| Form Name | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
[CONFSERVER-98582] Fix the response of group members endpoint
Hello! jhronik - could you please link me to release notes showing the change restricting the /group-name/member endpoint to admins only? Thank you!
jhronik Thank you for your feedback. For me it was more about http response code 401 instead of 200, while I agree that it should be 403 instead of 401.
Regarding the endpoint restriction: I was not able to notice the change on the release notes. So was this intentional?
38303b0d5e94 This report is about error response (401 vs 403), not that the REST API broke. Can you please elaborate on the issue you're experiencing?
Update: I see now. I found that /<group-name>/member endpoint was restricted to admin-only access in 8.5.17.
I can confirm this.
Further:
- We just upgraded from version 8.5.14 to 8.5.17. Before that it was possible to get a HTTP 200 response on that endpoint without administrative privileges, now it returns HTTP 401 Unauthorized instead.
Same here, We upgraded Confluence version from 8.5.11 to 8.5.18 and we started seeing HTTP 401 error, Any workaround is much appropriated, Thanks