[CONFSERVER-15160] Remote API Access Space Permission (PATCH) Created: 08/Apr/2009  Updated: 01/Feb/2018

Status: Gathering Interest
Project: Confluence Server
Component/s: Core - Content REST APIs
Fix Version/s: None

Type: Suggestion
Reporter: Igor Minar Assignee: Unassigned
Resolution: Unresolved Votes: 6
Labels: SunWikis, affects-server, enterprise, remote-api-(soap&xml-rpc)
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: PNG File Remote Access.png     Text File remote-api-admin-authorization.patch     Text File remote-api-authorization.patch    
Issue Links:
relates to CONFCLOUD-15160 Remote API Access Space Permission (P... Open
Feedback Policy:
We collect Confluence feedback from various sources, and we evaluate what we've collected when planning our product roadmap. To understand how this piece of feedback will be reviewed, see An updated workflow for server feature suggestions.
Last Touched By: Rachel Lin (Inactive)
Last commented: 9 years, 8 weeks, 1 day ago


NOTE: This suggestion is for Confluence Server. Using Confluence Cloud? See the corresponding suggestion.

For large confluence installation it is important to have RemoteAPI access to Confluence, but at the same time, it is not desirable to give the remote access to everyone and everywhere. For this reason a new permission that would control access to the remote API is needed.

It is unimaginable to have Confluence admins of big instances decide who should get the remote api access and for which space. Such a decision should be delegated to the space admins, which are the content owners for the given space and can make a qualified decision about the access via the RemoteAPI for their space.

For this reason a new space permission is needed. This space permission would be controlled as any other permission via the Space Admin -> Permissions view.

A patch with this functionality was developed against Confluence 2.x and the patch provided is rebased for 2.10.2. Patch was written in a minimalistic way in order to introduce minimal performance penalty and make it easy to port it between different confluence versions.

In our case we wanted to restrict access to global remote api calls only to confluence admins as well, so we created a patch for that too (attached as remote-api-admin-authorization.patch). It would be nice if this patch was rewritten so that an individual global permission to access these global methods exists too, but this isn't as important for us as having the space permission patch accepted to the confluence source base. I'm attaching both patches just to give you an idea of what we do. It's up to you if you decide to take the admin patch and rewrite it so that a global permission exists as well.

The order in which patches should be applied to confluence source base is remote-api-admin-authorization.patch -> remote-api-authorization.patch.

Comment by David Matsumoto [ 31/Aug/2009 ]

Our company is in a similar situation, though very useful and powerful the remote API can be misused or possibly even dangerous in some hands. In our case turning it off isn't an option since we require it for a some admin functions that don't work well through the standard interface and have now started integrating other applications into the Wiki using this interface. Having a bit more control on who can use it would go a long way to resolving this.

Generated at Tue Oct 16 00:37:57 UTC 2018 using Jira 7.13.0-m0003#713000-sha1:633a471f2aa3103167a647e64201095430fb1c30.