Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Celebration

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root

Avatar

1 badge earned

Collect

Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!

Challenges
Coins

Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.

Recognition
Ribbon

Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!

Leaderboard

Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,460,383
Community Members
 
Community Events
176
Community Groups

Update Space Permissions without Space Admin Part 1

We wanted to provide certain members of our organization the ability to manage permissions within their Confluence space, however we did not want to give them the space administrator permission. Unfortunately, Confluence doesn't allow for that and it doesn't look like this is something Atlassian will consider in the future based on this related ticket (for viewing space permissions) CONFSERVER-21661. I was able to get around this by using ScriptRunner for Confluence. 

If you're familiar with ScriptRunner, it provides you with the option of creating a custom REST Endpoint that you can call and execute a script. So using this feature I wrote the following script that will assign space permissions based on the parameters delivered with the REST call.

import com.onresolve.scriptrunner.runner.rest.common.CustomEndpointDelegate 

import groovy.transform.BaseScript

import com.atlassian.sal.api.component.ComponentLocator
import com.atlassian.confluence.spaces.SpaceManager
import com.atlassian.confluence.spaces.Space
import com.atlassian.confluence.security.DefaultSpacePermissionManager
import com.atlassian.confluence.security.SpacePermissionManager
import com.atlassian.confluence.security.SpacePermission
import com.atlassian.confluence.user.ConfluenceUserManager
import com.atlassian.user.UserManager
import com.atlassian.confluence.user.ConfluenceUser

import javax.ws.rs.core.MultivaluedMap
import javax.ws.rs.core.Response

@BaseScript CustomEndpointDelegate delegate

//Change <Your Admin Group> to the name of you group you use for system administrators.
//This will only allow users in the admin group to execute the REST call.
updatePermissions(httpMethod: "GET", groups: [<Your Admin Group>]){ MultivaluedMap queryParams ->

def spaceManager = ComponentLocator.getComponent(SpaceManager)
def spacePermissionManager = ComponentLocator.getComponent(SpacePermissionManager)
def userManager = ComponentLocator.getComponent(UserManager)
def dSpacePM = ComponentLocator.getComponent(DefaultSpacePermissionManager)
def space = spaceManager.getSpace(queryParams.getFirst("spaceKey") as String)
def user = userManager.getUser(queryParams.getFirst("user") as String) as ConfluenceUser
def spacePermissionToSave
def permissions = dSpacePM.getAllPermissionsForUser(user)

//Remove all permissions for the user from the space.
permissions.each { perm->
if (perm.getSpace().getName() == space.getName())
{
spacePermissionManager.removePermission(perm)
}
}

//Apply the permissions selected based on the parameters in the REST call. Note, permissions I never want used will never be set, i.e. no backdoor to just make the REST call to get admin permissions.
if (queryParams.getFirst("view") == "true")
{
spacePermissionToSave = SpacePermission.createUserSpacePermission(SpacePermission.VIEWSPACE_PERMISSION, space, user)
spacePermissionManager.savePermission(spacePermissionToSave)
}
if (queryParams.getFirst("removeOwn") == "true")
{
spacePermissionToSave = SpacePermission.createUserSpacePermission(SpacePermission.REMOVE_OWN_CONTENT_PERMISSION, space, user)
spacePermissionManager.savePermission(spacePermissionToSave)
}
if (queryParams.getFirst("createEditPage") == "true")
{
spacePermissionToSave = SpacePermission.createUserSpacePermission(SpacePermission.CREATEEDIT_PAGE_PERMISSION, space, user)
spacePermissionManager.savePermission(spacePermissionToSave)
}
if (queryParams.getFirst("removePage") == "true")
{
spacePermissionToSave = SpacePermission.createUserSpacePermission(SpacePermission.REMOVE_PAGE_PERMISSION, space, user)
spacePermissionManager.savePermission(spacePermissionToSave)
}
if (queryParams.getFirst("editBlog") == "true")
{
spacePermissionToSave = SpacePermission.createUserSpacePermission(SpacePermission.EDITBLOG_PERMISSION, space, user)
spacePermissionManager.savePermission(spacePermissionToSave)
}
if (queryParams.getFirst("createAttachment") == "true")
{
spacePermissionToSave = SpacePermission.createUserSpacePermission(SpacePermission.CREATE_ATTACHMENT_PERMISSION, space, user)
spacePermissionManager.savePermission(spacePermissionToSave)
}
if (queryParams.getFirst("removeAttachment") == "true")
{
spacePermissionToSave = SpacePermission.createUserSpacePermission(SpacePermission.REMOVE_ATTACHMENT_PERMISSION, space, user)
spacePermissionManager.savePermission(spacePermissionToSave)
}
if (queryParams.getFirst("comment") == "true")
{
spacePermissionToSave = SpacePermission.createUserSpacePermission(SpacePermission.COMMENT_PERMISSION, space, user)
spacePermissionManager.savePermission(spacePermissionToSave)
}
if (queryParams.getFirst("setPagePermissions") == "true")
{
spacePermissionToSave = SpacePermission.createUserSpacePermission(SpacePermission.SET_PAGE_PERMISSIONS_PERMISSION, space, user)
spacePermissionManager.savePermission(spacePermissionToSave)
}
if (queryParams.getFirst("exportSpace") == "true")
{
spacePermissionToSave = SpacePermission.createUserSpacePermission(SpacePermission.EXPORT_SPACE_PERMISSION, space, user)
spacePermissionManager.savePermission(spacePermissionToSave)
}

return Response.ok().build();
}

The script above restricts this call to users within the administrators group. I created a service account that I use for this purpose and added the account/user to my admin group so it can execute the script.

So now all you have to do is make a rest call with user that belongs to the admin group identified in the script using a format of https://<base-url>/rest/scriptrunner/latest/custom/updatePermissions?spaceKey=<Your Space Key>&user=<username of the user granting permission to>&view=<true/false>&createEditPage=<true/false>&removePage=<true/false>&editBlog=<true/false>&createAttachment=<true/false>&removeAttachment=<true/false>&comment=<true/false>&setPagePermissions=<true/false>&exportSpace=<true/false>&removeOwn=<true/false>

So, how do you let your non-admins call this REST endpoint? You can implement that part in many ways, see how I did this in part 2.

2 comments

(EDIT: I actually completely misunderstood your use case! So I removed the first part of my comment.)

I also like your solution since people that already have Script Runner won't need an extra app! :)

Cheers,
Sven

Like # people like this

Excellent Workaround Sir Scott!

Can you help with the appropriate script just to update the space view permissions using the Confluence groups that the space creator belongs too?

Acceptance Criteria: Once a user creates a Confluence space, all groups that the space creator belongs to will be added to space view permissions, except the "confluence-users" group.

I planning on using scriptrunner's space create event listener to trigger the script that will fetch all Confluence groups of the space creator and add them to space view permissions.

Appreciating your insight!

Comment

Log in or Sign up to comment
TAGS

Atlassian Community Events