Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
Community Members
Community Events
Community Groups

Please fix the massive security issue when attempting to "Share" one page


My company uses cloud Confluence and Jira and one of the employees wanted to make a page available for an external contractor.

They legitimately, clicked the "Share" button on the top right and entered the external e-mail.

What happened next (as a reconstruction showed) was the external e-mail got an invite to join, and by joining, Confluence happily granted access to the entire space the page was in.

Weeks later, lo and behold, I notice we've got a new member with full rights as part of the team, although they are external. I am baffled at the choice of design of this feature, and the default settings for per-space permissions, and/or whatever else allowed this to happen.



Now that the harm has been done, I am asking for a way to check what that person has seen, here.

Also note that I see many post like this one which realise how the feature works but I haven't seen any post highlighting what a gross security failure this feature is.



As I understood your instance has automatic authorisation functionality. like public registration, is that right?

I'm using the cloud confluence. And have not changed security parameters.

Dirk Ronsmans Community Leader Jan 17, 2021

@Gonchik Tsymzhitov I guess it has more to do with the invite being sent. No public registration but if you invite them you add them of course. 

OP seems to not have an issue with that but with the fact that permissions were granted on the entire space and not the single page. While this seems like normal behaviour I think it is a fault in implementation that a single page access is not granted and unknowingly to the sharer, the customer sees too much. 

I feel like a single page share function or at least a notification saying that the person will be granted access to all non restricted pages of space x will be granted. 

@Emil Donca   @Dirk Ronsmans Thank you for additional info :) 

Now I understood the pain.


@Emil Donca  Could you share your expectation step by step? 


1. Do you want to create a specific group like external-users? 

2. Do you want to have a control of all external users ? 

3. And do you want to be sure that group member can see only that page? 

I guess I want #3 - when I share a page with someone, I expect the page to be shared, not the entire universe.

As far as I'm concerned the documentation you linked to is wrong - it's for "sharing a page", but it says "You can also add an email address to invite someone outside your site." - no you can't. If you add an external email to the list, they get access to the entire universe not just the page (which is obvs what you wanted to do since you clicked Share page).


Please try to understand how things look like and what happens from the perspective of the user.

Any input from Atlassian on this one?
Any place I should file a bug report?

Dirk Ronsmans Community Leader Jan 17, 2021 seems a good start. Here you are relying on the community to escalate it where as there you have a direct line to Atlassian representatives

Like # people like this
Diego Atlassian Team Jan 18, 2021

Hello there @Emil Donca .

Thank you very much for sharing your experience with our Cloud product. I believe and see that this occurrence has affected your workflow within Confluence.


As I understand, an external user was invited to join your site via the “Share” function, much like what is described in our documentation:

When you share content with someone outside Confluence, we send them an email inviting them to join your site. They’ll be prompted to create an Atlassian account before they can access your page or blog post.

When you invite an external user, you grant them access to Confluence, not just to your page. We add them to the default product group and start billing you for the new user.

You can check more details here:

By default, Confluence allows users to see and interact with content created within it unless otherwise specified. For example:

  1. A space is created
  2. Pages are created in that space
  3. Everyone who can see the space, can see the content created in it
  4. All content within that space that needs to be restricted, should be using page restrictions

This means that, if you need to have a single page open to everyone, you should apply restrictions to all other pages. You could look at "Page Restrictions" as page level permissions, a more granular touch to how users can see content within spaces.

Since Confluence is a collaboration platform, using a permissive instead of restrictive set of rules makes collaboration easier.

You can check more details on how our permissions and restrictions mean here:

If you need to share a single page, with only view capabilities to whoever is looking at the page, you can use the “Public Link” feature in the “Share” feature:

Screen Shot 2021-01-18 at 13.54.56.png

Here we have more details on this:

Currently, our logging capabilities in Confluence do not include user page access and interactions. We record specific user activities, as described here:

Let us hear from you!

Like # people like this

Thanks Diego for taking the time to write this. I understand the underlying permissions model after looking into it, and from what you quote it seems some place in the docs also mention the behavior - "When you invite an external user, you grant them access to Confluence, not just to your page"

But I maintain my view that the "Share page" workflow is wrong, by easily letting users do what they don't want, with possibly major implications. When it comes to security, designs should err on the side of not letting people (easily) relax permissions, and Confluence UI atm is the opposite.

At the very least, the "Share Page" button should not allow external emails to be sent, that seems like the easiest fix. It forces the user to do explicit user management for adding that external user with a role that they choose, and understand.

Aside from that the approach to "apply restrictions to all other pages" sounds impractical (what happens to newly created pages?) but debating the permissions model itself is beyond the scope here. I am flagging a UI issue at the minimum. Let me know if you'd like me to file a bug report elsewhere as per Dirk's comment below. Thanks.


Log in or Sign up to comment
Community showcase
Published in Confluence

Watch 4 Confluence apps compete for Best App Demo in September's Appy Hours

Calling all collaborators! Appy Hours on the Atlassian Community is a monthly event where 4 Partner and app vendor presenters go head-to-head with 5-minute demos for the title of Best App Demo. I...

512 views 0 12
Read article

Atlassian Community Events