Please fix the massive security issue when attempting to "Share" one page

Hello there @Emil Donca .

Thank you very much for sharing your experience with our Cloud product. I believe and see that this occurrence has affected your workflow within Confluence.

As I understand, an external user was invited to join your site via the “Share” function, much like what is described in our documentation:

When you share content with someone outside Confluence, we send them an email inviting them to join your site. They’ll be prompted to create an Atlassian account before they can access your page or blog post.

When you invite an external user, you grant them access to Confluence, not just to your page. We add them to the default product group and start billing you for the new user.

You can check more details here:

• Share a page or blog post

By default, Confluence allows users to see and interact with content created within it unless otherwise specified. For example:

1. A space is created
2. Pages are created in that space
3. Everyone who can see the space, can see the content created in it
4. All content within that space that needs to be restricted, should be using page restrictions

This means that, if you need to have a single page open to everyone, you should apply restrictions to all other pages. You could look at "Page Restrictions" as page level permissions, a more granular touch to how users can see content within spaces.

Since Confluence is a collaboration platform, using a permissive instead of restrictive set of rules makes collaboration easier.

You can check more details on how our permissions and restrictions mean here:

• What are Confluence Cloud permissions and restrictions? 
• What are space permissions?
• Assign space permissions

If you need to share a single page, with only view capabilities to whoever is looking at the page, you can use the “Public Link” feature in the “Share” feature:

Here we have more details on this:

• Public Links

Currently, our logging capabilities in Confluence do not include user page access and interactions. We record specific user activities, as described here:

• Audit Logging 

Let us hear from you!

https://support.atlassian.com/contact seems a good start. Here you are relying on the community to escalate it where as there you have a direct line to Atlassian representatives

Thanks Diego for taking the time to write this. I understand the underlying permissions model after looking into it, and from what you quote it seems some place in the docs also mention the behavior - "When you invite an external user, you grant them access to Confluence, not just to your page"

But I maintain my view that the "Share page" workflow is wrong, by easily letting users do what they don't want, with possibly major implications. When it comes to security, designs should err on the side of not letting people (easily) relax permissions, and Confluence UI atm is the opposite.

At the very least, the "Share Page" button should not allow external emails to be sent, that seems like the easiest fix. It forces the user to do explicit user management for adding that external user with a role that they choose, and understand.

Aside from that the approach to "apply restrictions to all other pages" sounds impractical (what happens to newly created pages?) but debating the permissions model itself is beyond the scope here. I am flagging a UI issue at the minimum. Let me know if you'd like me to file a bug report elsewhere as per Dirk's comment below. Thanks.

I guess I want #3 - when I share a page with someone, I expect the page to be shared, not the entire universe.

As far as I'm concerned the documentation you linked to is wrong - it's for "sharing a page", but it says "You can also add an email address to invite someone outside your site." - no you can't. If you add an external email to the list, they get access to the entire universe not just the page (which is obvs what you wanted to do since you clicked Share page).

Please try to understand how things look like and what happens from the perspective of the user.

@Emil Donca   @Dirk Ronsmans Thank you for additional info :) 

Now I understood the pain. 

https://support.atlassian.com/confluence-cloud/docs/share-a-page-or-blog-post/

@Emil Donca  Could you share your expectation step by step? 

1. Do you want to create a specific group like external-users? 

2. Do you want to have a control of all external users ? 

3. And do you want to be sure that group member can see only that page? 

@Gonchik Tsymzhitov I guess it has more to do with the invite being sent. No public registration but if you invite them you add them of course. 

OP seems to not have an issue with that but with the fact that permissions were granted on the entire space and not the single page. While this seems like normal behaviour I think it is a fault in implementation that a single page access is not granted and unknowingly to the sharer, the customer sees too much. 

I feel like a single page share function or at least a notification saying that the person will be granted access to all non restricted pages of space x will be granted. 

Any input from Atlassian on this one?
Any place I should file a bug report?

I'm using the cloud confluence. And have not changed security parameters.

Hi! 

As I understood your instance has automatic authorisation functionality. like public registration, is that right?