[JSDSERVER-5141] Other SD Projects Knowledge Base are accessible through direct link

Type: Bug
Resolution: Not a bug
Priority: Highest
Fix Version/s: None
Affects Version/s: 3.4.2
Component/s: Knowledge Base
Labels:

Support reference count:
4
Symptom Severity:
Severity 2 - Major
Bug Fix Policy:
View Atlassian Server bug fix policy

Summary:

If a Customer only able to access one SD Portal and log in to Confluence, it is actually possible for that Customer to access other SD Project KBs through a Direct URL Link including navigating the space.

Steps to Reproduce:

Prepare a JIRA instance that is connected to Confluence with the same User Base.
Create two SD Project (SD1 and SD2) and connect it to a Confluence Space each (KB1 and KB2)
Both SD projects have permissions set: "Customers who are added to the project"

Make sure the option below is enabled when connecting the Spaces:

"All active users and customers can access the knowledge base without a Confluence license."

Create a Customer that only exists in SD1 and log in as the Customer to SD1 Portal.
Search for an Article in KB1 to clarify that it returns a result.
Search for an Article in KB2 to clarify that it should not returns anything.
Log in to Confluence using the Customer credentials and clarify that there is no other menu beside the Confluence Logo to clarify that the Customer does not have a Confluence License.
Open another session and log in to Confluence as an Admin.
Access the KB2 space and copy the URL.
Back to the Customer session and paste the link

Expected Result:

With the customer is only allowed to access SD1, the connected KB2 will return the "not permitted" error.

Actual Result:

The Customer will access the space and able to navigate around it.

was cloned as

JSDSERVER-6097 Other SD Projects Knowledge Base are accessible through direct link

Closed

JSMDC-700 You do not have permission to view this issue

Andrew Culver added a comment - 05/Feb/2019 3:39 PM

Reopen this immediately. This is a severe problem for our users.

Andrew Culver added a comment - 05/Feb/2019 3:39 PM Reopen this immediately. This is a severe problem for our users.

Henri Volk [amily] added a comment - 27/Sep/2018 7:14 PM

Wondering why this is not a bug as it is a obviously a security issue. Let me explain again if needed.

Henri Volk [amily] added a comment - 27/Sep/2018 7:14 PM Wondering why this is not a bug as it is a obviously a security issue. Let me explain again if needed.

Henri Volk [amily] added a comment - 27/Jul/2017 9:17 PM

Hi, as for a high prio marked security issue I am wondering about zero activity here. Any ETA for a fix? Maybe opening the issue to others would help to get votes. ANother forum I should use?

Regards

Henri Volk [amily] added a comment - 27/Jul/2017 9:17 PM Hi, as for a high prio marked security issue I am wondering about zero activity here. Any ETA for a fix? Maybe opening the issue to others would help to get votes. ANother forum I should use? Regards

Assignee:: Unassigned

Reporter:: Henri Volk [amily]

Affected customers:: 0 This affects my team

Watchers:: 8 Start watching this issue

Created:: 24/May/2017 3:23 PM

Updated:: 06/Nov/2023 5:38 PM

Resolved:: 30/Jul/2018 11:09 PM

Jira Service Management Data Center

Details

Description

Summary:

Steps to Reproduce:

Expected Result:

Actual Result:

Attachments

Issue Links

Forms

Activity

Collapse comment: Andrew Culver added a comment - 05/Feb/2019 3:39 PM

Expand comment: Andrew Culver added a comment - 05/Feb/2019 3:39 PM

Collapse comment: Henri Volk [amily] added a comment - 27/Sep/2018 7:14 PM

Expand comment: Henri Volk [amily] added a comment - 27/Sep/2018 7:14 PM

Collapse comment: Henri Volk [amily] added a comment - 27/Jul/2017 9:17 PM

Expand comment: Henri Volk [amily] added a comment - 27/Jul/2017 9:17 PM

People

Dates

Backbone Issue Sync