Issue Summary

Individual users with System Administrator (who can also have both Confluence Administrator and System Administrator ) access under Global Permissions can view the names of restricted spaces that they are not permitted to access.

This is reproducible on Data Center: (yes) 

Steps to Reproduce

• Login as admin
• Create a new group say it-services
• Create a user say usr1 and add the user to the group it-services ( ensure this user is not a member of confluence-administrators group )
• Create a new space say abcd and go to space tools > permissions
  • Edit the groups and remove the group confluence-users and add the group it-services so that members of the group it-services only can access this space
    • You can also add a user from the group it-services under individual user and give admin privileges for this space but this step is not mandatory to replicate this issue
• Create another new space say efgh , go to the space permission and remove the group confluence-users and ensure that there is no other group added here so that no groups can access this space
  • Add any admin user as space admin under individual user to this space, save the changes
• Head to Global Permissions and add the user usr1 under Individual Users checking System Administrator access ( you can also check both System Administrator & Confluence Administrator access )
• Just to summarise -
  • usr1 is a member of it-services & confluence-users only
  • usr1 is added as System Administrator under Individual User under global permissions
  • usr1 can only view and access the space abcd
  • usr1 does not have access to the restricted space efgh so he is not supposed to see this space and for that matter any restricted space that the usr1 is not supposed to see
• now login to Confluence as usr1
• Head to space directory and you will be able to view the name of the restricted space efgh
  • While you click on the restricted space name 'Page not found' error is displayed
  • Similarly, while the user1 tries to move a page to a different space and types the first few letters of the restricted space, he is able to see the names of that space and also view the page names of that space which he is not supposed to see.
• Note the user does not see the content of either the space/page but only sees the names.

Expected Results

The user should not be able to view the name of any restricted space that he does not intend to see unless he/she is present in the Confluence Administrator group. This works as expected with Confluence v7.19.x ( we tested on v7.19.18 & 7.19.26 )

Actual Results

The user is able to view the names of the restricted Space and also the names of the pages of the specific restricted space even though he is
not allowed to see those forbidden spaces.

I have added the screen recording as well of this issue. The issue was first seen after upgrading Confluence from v7.19.26 to v8.5.16

Workaround

The only workaround as of now is to remove System Administrator access for all such users under Individual Users in Global Permissions