Issue Summary

When sending a GET request to the endpoint /rest/api/group/<GROUP_NAME>/member, the application responds with a "Client must be authenticated to access this resource". Even if the user is authenticated.

For example, using cURL:

curl -u test:test https://<BASE_ULR>/confluence/rest/api/group/confluence-users/member       
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><status><status-code>401</status-code><message>Client must be authenticated to access this resource.</message></status>%

This response message is not accurate, since the request failed due to a lack of permissions, the user "test" is part of "confluence-users", and doesn't have administrative permissions.

This issue may affect some other endpoints.

Steps to Reproduce

Send a GET request to the endpoint /rest/api/group/<GROUP_NAME>/member, using a normal user (non-admin).

Confluence version: 8.5.x (LTS)

Expected Results

A 403 response with a more specific message such as the following one, which is already used on other endpoints:

"The request has not been applied to the target resource because it lacks valid authentication credentials for that resource."

Obs: On version 9.1.x, the message is:

Actual Results

Currently, we receive a 401 status code and the following message, if the user doesn't have permission to access the endpoint:

"Client must be authenticated to access this resource".

Workaround

Currently, there is no known workaround for this behavior. A workaround will be added here when available.

A possible solution is to upgrade Confluence to 9.1.x.