Atlassian
Child pages
  • Administration Guide 2.1 - Custom Filters
Skip to end of metadata
Go to start of metadata

Space Privacy - Extranet for Confluence

See the documentation for your Release

Table of Contents

Custom Filter

URL filter configuration


404 - Page not found

Add a custom filter

We did our best to secure every sensitive user data within Confluence and Linchpin. But there are many third-party plugins which provide their own resources and may expose too much information in an extranet.

Therefore we implemented the possibility to secure those resources by simply blocking them for extranet users.

This means the url is blocked, if the user

  • is assigned to at least one extranet AND
  • is not a user or space manager in at least one extranet AND
  • is not a Confluence administrator AND
  • the visibility configuration is set to "Global and Space Administrators and Extranet User Managers"

To add a custom filter simply insert the url to be blocked into the URL input field. You may skip the base url and the context path.

For example insted of http://yourinstance.de/confluence/browsepeople.action you may simply insert /browsepeople.action

There are certain urls that are not able to be blocked, as they may break your Confluence instance:

  • /admin/*
  • /download/*
  • /images/*
  • /plugins/servlet/upm

Blocking in this case means, that the user gets a "404 - Page not found" error (not "No Permission" error). This way there is no information exposed about the existence of a resource.


Use a Wildcard

For blocking several branches of the same url you may use wildcards (asteriks).

For example if you insert /plugin/example* the following urls will be blocked

  • /plugin/example
  • /plugin/example/page
  • /plugin/example/page/childpage

These urls will NOT be blocked

  • /plugin/extra
  • /plugin/extra/page


Username placeholder

Some urls contain a dynamic username (e.g. for fetching data for a distinct user). For that you can add a placeholder in the url pattern and the plugin will check if you are allowed to see the given user.

This can be done by adding the key word {username} into your url

For example if you insert /plugin/sensitivedata/{username} the plugin will check visibilities for the value given instead if {username}.

If the url ist called with /plugin/sensitivedata/extranetuser1 the username is extranetuser1, if the caller is not allowed to see this user, the content will be blocked.

Furthermore it can be used with query parameters /plugin/userdata?username={username}, so visibility for extranetuser1 will be checked, if the url is called with /plugin/userdata?username=extranetuser1

  • No labels