Hello Confluence Admins,
We want to explain changes to cross-space page moves that resulted from patching a recently discovered vulnerability. The changes desupport an estimated 10-15% of cross-space page moves.
Summary: Moving a subtree (page+child pages) across spaces could allow for a user to inappropriately access and modify previously restricted child pages.
Given a user with the following permissions:
In the Source Space
|
In the
|
the user can move a page and all child pages to a space where they are a space admin. In the Manage Pages>Restricted admin screen, the user can then access any previously restricted child pages.
Only space admins of the source space can move a page out of the space. This patches the vulnerability as the space admin of the source is already allowed to access those restricted pages via the Manage Pages>Restricted admin screen.
Disallow page moves if any child pages were restricted: This had the benefit of absolutely patching the vulnerability, but with significant UX and technical impact
UX: When a page move fails due to a child page that the user cannot see due to restrictions, there is no self-remediated solution and requires a space admin to assist.
Technical: This would result in desupporting more than 30% cross-space page moves and the user would require space admin intervention to troubleshoot/remediate. Additionally, to perform permission checks along the entire subtree when the user is attempting to move a page has significant scale and performance risks.
Only move pages in the subtree that the user can access: Similarly, this patches the VULN but has UX and technical impact
UX: More user research is required to understand proper handling of stranded pages and retaining the subtree structure. Stranded or structural placeholder pages could cause additional clutter or confusion without proper treatment.
Technical: To perform permission checks along the entire subtree when the user is attempting to move a page has significant scale and performance risks. Additionally, the scope of these changes is large which leaves the vulnerability open for significantly longer and has higher risk of bugs.
With our commitment to security, we made a hard trade-off to close this serious security risk with expediency while limiting breaking existing flows. Any future iterations on improving the cross-move experience will be considered for future roadmapped based on impact. One possible future solution is linked below- please vote/comment/follow this feature request if applicable to your organization.
CONFCLOUD-6645 - Add "Move Page" permission
dhur
Product Manager, Confluence Core Services
Atlassian
6 comments