• Type: Bug
• Resolution: Timed out
• Priority: Low
• Fix Version/s: None
• Affects Version/s: 2.4
• Component/s: None
• Labels:

  None

[CWD-2917] Possibility to Access Restricted Pages With Recreated Group

Collapse comment: Chad Barnes added a comment - 05/Sep/2012 6:29 PM

Chad Barnes added a comment - 05/Sep/2012 6:29 PM

This is related to Confluence and external Crowd groups. Confluence page restrictions are based on group names. So, if the group is ever removed, via external synchronization, and later recreated with the same name then it is possible a different set of users gains access to restricted content.

Instead, it seems more secure to control access via a group's globally unique identifier. A unique number that can never be re-used after a group is deleted. Thus, even if a same-named group is created it will not be applicable to any legacy page restrictions.

I'm not sure this is so much a Crowd issue as it is a group permission issue across all the tools.

Expand comment: Chad Barnes added a comment - 05/Sep/2012 6:29 PM

Chad Barnes added a comment - 05/Sep/2012 6:29 PM This is related to Confluence and external Crowd groups. Confluence page restrictions are based on group names . So, if the group is ever removed, via external synchronization, and later recreated with the same name then it is possible a different set of users gains access to restricted content. Instead, it seems more secure to control access via a group's globally unique identifier. A unique number that can never be re-used after a group is deleted. Thus, even if a same-named group is created it will not be applicable to any legacy page restrictions. I'm not sure this is so much a Crowd issue as it is a group permission issue across all the tools.