Uploaded image for project: 'Migration Platform'
  1. Migration Platform
  2. MIG-837

Apps can't access restricted content in Confluence Cloud

XMLWordPrintable

    • 47

    • Our product teams collect and evaluate feedback from a number of different sources. To learn more about how we use customer feedback in the planning process, check out our new feature policy.

      Issue Summary

      Core data in a Confluence migration may have page restrictions which isn't accessible by REST endpoints. As a result Connect apps cannot update their data such as macros or custom content.

      Steps to Reproduce

      1. Install an app in server that uses custom content
      2. Add macro or content to a page and restrict the page
      3. Migrate the data
      4. In Cloud, use the REST endpoint to update the macro or custom content

      Expected Results

      Content can be updated by the app

      Actual Results

      The app receives a HTTP 403

      Workaround

      Connect apps can use admin impersonation, but an admin needs to be specified and this may also generate a page edit.

            [MIG-837] Apps can't access restricted content in Confluence Cloud

            Sami Bel Haj Hassine added a comment -

            Hello, have there been any updates or workaround to this issue ?
             The workaround found is to migrate spaces by space, which is a terrible solution for a large number of spaces.. on the other hand, assigning it to a random user with access leads to the data becoming irrelevant .

             

            Sami Bel Haj Hassine added a comment - Hello, have there been any updates or workaround to this issue ?  The workaround found is to migrate spaces by space, which is a terrible solution for a large number of spaces.. on the other hand, assigning it to a random user with access leads to the data becoming irrelevant .  

            Michael Aglas added a comment -

            I guess this is another issue that has a potential to be closed in >= 10 years...

            Michael Aglas added a comment - I guess this is another issue that has a potential to be closed in >= 10 years...

            Kashev Dalmia {Soteri} added a comment -

            We're also having this problem with our Confluence Cloud app (though not in the migration context). Even with user impersonation, it's not possible (as far as we can tell) to fetch the full list of content IDs if any of those IDs have restricted permissions.

            Kashev Dalmia {Soteri} added a comment - We're also having this problem with our Confluence Cloud app (though not in the migration context). Even with user impersonation, it's not possible (as far as we can tell) to fetch the full list of content IDs if any of those IDs have restricted permissions.

            Alex Medved {ConfiForms} added a comment - - edited

            Hi

            Looks like we need to come up with something similar, I am afraid... as automatic migration simply does not work for us.

            What is the best way to find the user who has edit permissions?

            Something like

            https://developer.atlassian.com/cloud/confluence/rest/api-group-content/#api-wiki-rest-api-content-get

            with expand=restrictions.update.restrictions.user?

            The problem is how to do this request if an app has no "view" permissions on a content.

            And how to ensure the service you developed for migration (with user impersonation) is secure (and can only be used by migration process)?

            Alex

            Alex Medved {ConfiForms} added a comment - - edited Hi Looks like we need to come up with something similar, I am afraid... as automatic migration simply does not work for us. What is the best way to find the user who has edit permissions? Something like https: //developer.atlassian.com/cloud/confluence/ rest /api-group-content/#api-wiki- rest -api-content-get with expand=restrictions.update.restrictions.user? The problem is how to do this request if an app has no "view" permissions on a content. And how to ensure the service you developed for migration (with user impersonation) is secure (and can only be used by migration process)? Alex

            Brigitte [SR] added a comment -

            Scaffolding Cloud is affected by this issue. After migration, the app needs to use REST endpoint to update a page's content property on Cloud. The update will fail if the page is restricted. We tried:

            • Adding SPACE_ADMIN permission to Scaffolding Cloud app - didn't solve the issue
            • Impersonating a user with GLOBAL_ADMIN permission - didn't solve the issue because even global admin can't access restricted content on Cloud

            Our workaround is for each page, identify a user who has edit permission and impersonate him. 

             

            Brigitte [SR] added a comment - Scaffolding Cloud is affected by this issue. After migration, the app needs to use REST endpoint to update a page's content property on Cloud. The update will fail if the page is restricted. We tried: Adding SPACE_ADMIN permission to Scaffolding Cloud app - didn't solve the issue Impersonating a user with GLOBAL_ADMIN permission - didn't solve the issue because even global admin can't access restricted content on Cloud Our workaround is for each page, identify a user who has edit permission and impersonate him.   

              Unassigned Unassigned
              jrichards@atlassian.com James Richards
              Votes:
              96 Vote for this issue
              Watchers:
              70 Start watching this issue

                Created:
                Updated: