Create
cancel
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

Please fix the massive security issue when attempting to "Share" one page

Edited

My company uses cloud Confluence and Jira and one of the employees wanted to make a page available for an external contractor.

They legitimately, clicked the "Share" button on the top right and entered the external e-mail.

What happened next (as a reconstruction showed) was the external e-mail got an invite to join, and by joining, Confluence happily granted access to the entire space the page was in.

Weeks later, lo and behold, I notice we've got a new member with full rights as part of the team, although they are external. I am baffled at the choice of design of this feature, and the default settings for per-space permissions, and/or whatever else allowed this to happen.

 

share.png

Now that the harm has been done, I am asking for a way to check what that person has seen, here.

Also note that I see many post like this one which realise how the feature works but I haven't seen any post highlighting what a gross security failure this feature is.

3 comments

Hi! 

As I understood your instance has automatic authorisation functionality. like public registration, is that right?

I'm using the cloud confluence. And have not changed security parameters.

Dirk Ronsmans Community Leader Jan 17, 2021

@Gonchik Tsymzhitov I guess it has more to do with the invite being sent. No public registration but if you invite them you add them of course. 

OP seems to not have an issue with that but with the fact that permissions were granted on the entire space and not the single page. While this seems like normal behaviour I think it is a fault in implementation that a single page access is not granted and unknowingly to the sharer, the customer sees too much. 

I feel like a single page share function or at least a notification saying that the person will be granted access to all non restricted pages of space x will be granted. 

@Emil Donca   @Dirk Ronsmans Thank you for additional info :) 

Now I understood the pain. 

https://support.atlassian.com/confluence-cloud/docs/share-a-page-or-blog-post/

 

@Emil Donca  Could you share your expectation step by step? 

 

1. Do you want to create a specific group like external-users? 

2. Do you want to have a control of all external users ? 

3. And do you want to be sure that group member can see only that page? 

I guess I want #3 - when I share a page with someone, I expect the page to be shared, not the entire universe.

As far as I'm concerned the documentation you linked to is wrong - it's for "sharing a page", but it says "You can also add an email address to invite someone outside your site." - no you can't. If you add an external email to the list, they get access to the entire universe not just the page (which is obvs what you wanted to do since you clicked Share page).

 

Please try to understand how things look like and what happens from the perspective of the user.

Any input from Atlassian on this one?
Any place I should file a bug report?

Dirk Ronsmans Community Leader Jan 17, 2021

https://support.atlassian.com/contact seems a good start. Here you are relying on the community to escalate it where as there you have a direct line to Atlassian representatives

Like # people like this
Diego Atlassian Team Jan 18, 2021

Hello there @Emil Donca .

Thank you very much for sharing your experience with our Cloud product. I believe and see that this occurrence has affected your workflow within Confluence.

 

As I understand, an external user was invited to join your site via the “Share” function, much like what is described in our documentation:

When you share content with someone outside Confluence, we send them an email inviting them to join your site. They’ll be prompted to create an Atlassian account before they can access your page or blog post.

When you invite an external user, you grant them access to Confluence, not just to your page. We add them to the default product group and start billing you for the new user.

You can check more details here:

By default, Confluence allows users to see and interact with content created within it unless otherwise specified. For example:

  1. A space is created
  2. Pages are created in that space
  3. Everyone who can see the space, can see the content created in it
  4. All content within that space that needs to be restricted, should be using page restrictions

This means that, if you need to have a single page open to everyone, you should apply restrictions to all other pages. You could look at "Page Restrictions" as page level permissions, a more granular touch to how users can see content within spaces.

Since Confluence is a collaboration platform, using a permissive instead of restrictive set of rules makes collaboration easier.

You can check more details on how our permissions and restrictions mean here:

If you need to share a single page, with only view capabilities to whoever is looking at the page, you can use the “Public Link” feature in the “Share” feature:

Screen Shot 2021-01-18 at 13.54.56.png

Here we have more details on this:

Currently, our logging capabilities in Confluence do not include user page access and interactions. We record specific user activities, as described here:

Let us hear from you!

Like # people like this

Thanks Diego for taking the time to write this. I understand the underlying permissions model after looking into it, and from what you quote it seems some place in the docs also mention the behavior - "When you invite an external user, you grant them access to Confluence, not just to your page"

But I maintain my view that the "Share page" workflow is wrong, by easily letting users do what they don't want, with possibly major implications. When it comes to security, designs should err on the side of not letting people (easily) relax permissions, and Confluence UI atm is the opposite.

At the very least, the "Share Page" button should not allow external emails to be sent, that seems like the easiest fix. It forces the user to do explicit user management for adding that external user with a role that they choose, and understand.

Aside from that the approach to "apply restrictions to all other pages" sounds impractical (what happens to newly created pages?) but debating the permissions model itself is beyond the scope here. I am flagging a UI issue at the minimum. Let me know if you'd like me to file a bug report elsewhere as per Dirk's comment below. Thanks.

Comment

Log in or Sign up to comment
TAGS
Community showcase
Published in Confluence

Confluence Mythbusters: Does Atlassian even use Confluence?

Hi, Confluence collaborators! As part of #Confluence-Collaboratory month, we’ve created a very special Mythsbusters segment, where we're dive into an interesting myth and uncover the truth behind i...

1,709 views 7 32
Read article

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you