Uploaded image for project: 'SR for Confluence - Development'
  1. SR for Confluence - Development
  2. SRCONF-386

Group restendpoint access in lock content macro not restricted

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Done
    • Priority: High
    • Resolution: Done
    • Affects Version/s: 5.4.9
    • Fix Version/s: 5.4.50
    • Component/s: None
    • Labels:
    • Sprint:
      American Sprint 106, American Sprint 107
    • Epic Link:
    • Story Points:
      3
    • Critical Points:
      0

      Description

      PROBLEM
      The groups restendpoint accessible at <your-localhost>/rest/scriptrunner-confluence/latest/lock-content-macro/groups is accessible by any user. Only logged in users should access it.

      HOW TO REPLICATE IT

      1. Start a Confluence instance.
      2. When the server is up and running (NO NEED TO LOG IN), go to the restendpoint (type in the browser URL <your-localhost>/rest/scriptrunner-confluence/latest/lock-content-macro/groups)
      3. You should see an array of groups (in json format). If no group has been added, an empty array is displayed (If you start a clean instance the array is always empty).
      4. Instead of the group array the Log in home page should still be diplayed.

      SOLUTION
      The problem is in the class com.onresolve.scriptrunner.runner.rest.confluence.LockContentMacroRestEndPoint. The method getGroups(@QueryParam("searchTerm") String searchTerm) should check the user authentication before returning the result).

      AFFECTED VERSIONS
      The problem was found out during release of ScriptRunner for Confluence version 5.4.9, but probably the issue was there for older versions too.
      Also tested with the latest version of ScriptRunner for Confluence 5.4.47 and the issue is still present.

        Attachments

          Activity

            People

            Assignee:
            twortham Tiffany Wortham
            Reporter:
            lassenza Luigi Assenza
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: