I've raised this with Atlassian (and assume nothing will be done) but wanted to share this with the community in case it's useful --
We use Jira and Confluence as a digital agency, which means we don't just have internal company users - our clients use our instance too (and we just customise user or group settings so they can't see projects/spaces they're not meant to).
We just noticed a big change to Confluence permissions (not sure how new they are) - the 'confluence-users' group is added to new spaces, with full access by default (view, create and delete pages, etc). Traditionally, anyone who needs to access Confluence needs to be added to the 'confluence-users' group (that's our understanding anyway). Therefore, if Atlassian have now set it up so that all new Confluence spaces will include that group by default, everyone you've added to that 'confluence-users' group can view each others' spaces, even if they're not meant to! In other words, your entire Confluence user base as access to your Confluence spaces (unless you've specifically restricted a space or page - I've noticed that still works, thank goodness).
For us, that means clients were able to see new pages being published (unless we adjust the permissions for the 'confluence-users' group in each space).
Generally, yhis poses massive privacy issues as you can imagine. The only way to get around this issue for us was to (quickly) go through each space, remove that group's access wherever necessary, ie:
- Go to each Confluence space's 'Space settings'
- Find Space permissions > Groups
- Hit 'Edit' > Uncheck the 'View' box for 'confluence-users'
- Hit 'Save'
- The 'confluence-users' group should disappear (the rest of the access remains the same)
Note that this was possible to do quickly because:
- We don't have hundreds of spaces
- I have 'god' admin so I have all the permissions to do whatever is required
- I set up our Jira and Confluence so I have all the understanding of groups, users, access, etc
- We don't store absolutely everything (confidential or otherwise) in Confluence! It has been discussed we should, but after this issue, nope
I don't even want to think about the implications of having thousands of spaces and a massive user base.
We only discovered this problem because a team member had to create a new space yesterday and I hadn't gotten around to checking the Group permissions tab (not knowing this permissions section had changed), and a different client told us they could see this client's space and had received notifications about it.
Separately, I started receiving notifications about new pages being created in a client's Confluence instance (which again, we shouldn't have access to and had originally put down to user error!). Strange coincidence, but glad it happened because it allowed me to analyse what was going on in our instance and mitigate the risk as fast as possible on our end.
Even for an enterprise not using their instance with external people, this still poses issues, and the impact could be dire, especially for people who:
- Don't know about this Confluence permission change
- Don't have any understanding of how the 'confluence-users' group works or why it even exists
- Don't have quick access to change Confluence settings (due to being in a large organisation or just not having the right level of access)
- Have users who are lax with restricting access to pages with sensitive information
We can't possible be the only ones who experienced this?
