Users can move attachments to a space they have no permission for

2008-04-15T00:31:21
ID ATLASSIAN:CONF-11452
Type atlassian
Reporter stafford@customware.net
Modified 2017-02-17T05:11:08

Description

Any user with permission to edit pages in a space can move attachments in that space to any page in Confluence.

Eg: suppose we have a user named StandardUser who has permission to edit pages in GeneralSpace, but no permission to view or edit RestrictedSpace, which contains a page predictably named Home. StandardUser: * goes to the attachments view of a page with attachments in GeneralSpace. * clicks edit. * types "RestrictedSpace:Home" into the Page field and clicks save.

The attachment is moved.

The user should really need the following permissions: View Space for RestrictedSpace Create Attachment for RestrictedSpace Furthermore, the user should not be restricted from viewing or editing the target page by any page level restrictions.