Space Admins Cannot administer space permissions

Yes, they have the "Admin" tick checked (green) in permissions and they have the "Edit" button, however, when they click on the edit button then they get the error that they do not have permissions.

Ok, if they didn't have the permission, the button shouldn't even appear.  Are they logged in with a non-expired session? (Easy to check, just go to another part of Confluence and check the user is shown as logged in at the top right)

Could you have a look at the log file at the point at which one of these users click the edit button?

Yes, they are logged in. I'll have a look at the log files and see if I can see anything pertaining to this issue. I'm also wondering if maybe this is a database issue.

Ok, we figured out what is going on here. When space admin clicks on "Edit Permissions" they are supposed to get the authentication page prior to them being dropped to the permissions editing page. What is happening is there are two special characters being inserted in the URL string that turns out OpenAM doesn't like. Specifically it is encoding the second set of 3 characters into a special character (a question mark). If we decode the second character and replace the special character with the decoded string, the URL works. OpenAM kicks back the URL because of the second special character.

Now my questions is, does the newest version of Confluence do this? We spoke with OpenAM and they report this is working as intended and only older versions of the  web client accept special characters. So why does Confluence encode certain characters strings as special characters and can this be changed?

Below is the URL being generated when a space admin clicks on the "Edit Permissions" button. Notice the second question mark in the URL. That's what OpenAM doesn't like. If we replace the question mark with it's decoded value of %3f it works just fine.

https://learn.dcita.edu/confluence/authenticate.action?destination=/spaces/editspacepermissions.action?key=SC&edit=Edit+Permissions

That is, I'm afraid, a perfectly valid url, and one that works with other authentication systems.  It looks to me that the OpenAM user authentication has a bug in it - it should accept the second ? as a valid url.

Well, turns out this is a bug with OpenAM. Just got an update from our dev team who had a ticket open with the OpenAm dev team about this and they now confirm this is a bug that will be fixed in a future release. At first they were saying it wasn't a bug until our own devs found something related to this issue in their release notes.

Also I would like to correct my earlier posts and state that we were in fact ENCODING the special character and not decoding it. When it is encoded then OpenAM let's it load. Just as an FYI in case anyone else runs into this issue and needs a workaround.

Thank you for your help.