Uploaded image for project: 'SR for Confluence - Development'
  1. SR for Confluence - Development
  2. SRCONF-386

Group restendpoint access in lock content macro not restricted

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Done
    • High
    • Resolution: Done
    • 5.4.9
    • 5.4.50
    • None
    • American Sprint 106, American Sprint 107
    • 3
    • 0

    Description

      PROBLEM
      The groups restendpoint accessible at <your-localhost>/rest/scriptrunner-confluence/latest/lock-content-macro/groups is accessible by any user. Only logged in users should access it.

      HOW TO REPLICATE IT

      1. Start a Confluence instance.
      2. When the server is up and running (NO NEED TO LOG IN), go to the restendpoint (type in the browser URL <your-localhost>/rest/scriptrunner-confluence/latest/lock-content-macro/groups)
      3. You should see an array of groups (in json format). If no group has been added, an empty array is displayed (If you start a clean instance the array is always empty).
      4. Instead of the group array the Log in home page should still be diplayed.

      SOLUTION
      The problem is in the class com.onresolve.scriptrunner.runner.rest.confluence.LockContentMacroRestEndPoint. The method getGroups(@QueryParam("searchTerm") String searchTerm) should check the user authentication before returning the result).

      AFFECTED VERSIONS
      The problem was found out during release of ScriptRunner for Confluence version 5.4.9, but probably the issue was there for older versions too.
      Also tested with the latest version of ScriptRunner for Confluence 5.4.47 and the issue is still present.

      Attachments

        Activity

          People

            twortham Tiffany Wortham
            lassenza Luigi Assenza
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: