Security problem with viewport
160 views
Skip to first unread message
Andrew Stickler
Jun 26, 2018, 5:09:01 AM6/26/18
to Scroll Viewport Developers
Hi - I am using Scroll Viewport to host a knowledge base for my company, but have a permissions issue.
We want any 3rd-party user to access the viewport without logging in, so have enabled anonymous access to the whole of Confluence (but disabled on all other spaces), set the viewport setting "Restrict access to Confluence UI", and configured 'Groups with access to the Confluence UI' to 'confluence_users'.
This works fine, except if 3rd-party users browse to our Confluence home page, they get to see the list of spaces (only the one enabled for viewport is visible, which is fine) but also the 'Discover' section, which, in the 'All Updates' section, displays details of any internal Confluence comments that were added to the pages in the viewport (including the actual comment text!).
This is a serious security breach, and I would like to know if there is any workaround other than preventing internal user from adding comments to those pages in the first place.
regards,
Andrew
Steffen Burzlaff (K15t Software)
Jun 26, 2018, 7:23:40 AM6/26/18
to Scroll Viewport Developers
Hi Andrew,
Scroll Viewport has the scope of a space. Since the Dashboard doesn't belong to a space, this has nothing to do with Scroll Viewport, but with Confluence itself.
What you could do is to insert a "show-to" or "hide-to" macro into your dashboard. https://community.atlassian.com/t5/Confluence-questions/Can-I-hide-the-Dashboard-from-Anonymous-Users/qaq-p/434425
What you could do is to insert a "show-to" or "hide-to" macro into your dashboard. https://community.atlassian.com/t5/Confluence-questions/Can-I-hide-the-Dashboard-from-Anonymous-Users/qaq-p/434425
This will prevent anonymous users to access your dashboard. The other approach would be to install a redirect macro, https://community.atlassian.com/t5/Confluence-questions/How-can-I-prevent-anonymous-access-to-the-Dashboard/qaq-p/426707, which will redirect anonymous users back to the viewport.
Scroll Viewport isn't meant to completely restrict the access to your Confluence, it is meant to give a space another view of the content, also as mentioned above the dashboard is not in the scope of the viewport plugin. Therefore please be aware, that the dashboard is not the only page which an anonymous user could enter ( For example the space director ).
Hope this is helping and solving your problem. If you need help to include these solutions on your dashboard, please contact the Atlassian Support.
Thanks and have a nice day.
Best,
Steffen
Reply all
Reply to author
Forward
0 new messages