Anonymous users can see page restriction data, exposing user ids and group names

2013-02-15T16:53:49
ID ATLASSIAN:CONF-28122
Type atlassian
Reporter dvarela
Modified 2017-02-17T05:26:11

Description

If an user navigates to a page that has any kind of individual "editing" restriction but is of public view and then clicks on the padlock icon, he or she will see the Names, Uids of the users who are mentioned in the "edit" restriction or any groups part if the restriction.

We think it is wrong to - Expose uids and groups names, which are not exposed to anonymous users anywhere else. - Expose who can edit the page to anonymous users. The way we see it this is quite private information.