See the documentation for your Release

Table of Contents

Custom Filter

URL filter configuration

404 - Page not found

Add a custom filter

We did our best to secure every sensitive user data within Confluence and Linchpin. But there are many third-party plugins which provide their own resources and may expose too much information in an extranet.

Therefore we implemented the possibility to secure those resources by simply blocking them for extranet users.

This means the url is blocked, if the user

  • is assigned to at least one extranet AND
  • is not a user or space manager in at least one extranet AND
  • is not a Confluence administrator AND
  • the visibility configuration is set to "Global and Space Administrators and Extranet User Managers"

To add a custom filter simply insert the url to be blocked into the URL input field. You may skip the base url and the context path.

For example insted of you may simply insert /browsepeople.action

(warning) There are certain urls that are not able to be blocked, as they may break your Confluence instance:

  • /admin/*
  • /download/*
  • /images/*
  • /plugins/servlet/upm

(warning) Blocking in this case means, that the user gets a "404 - Page not found" error (not "No Permission" error). This way there is no information exposed about the existence of a resource.

Use a Wildcard

For blocking several branches of the same url you may use wildcards (asteriks).

For example if you insert /plugin/example* the following urls will be blocked

  • /plugin/example
  • /plugin/example/page
  • /plugin/example/page/childpage

These urls will NOT be blocked

  • /plugin/extra
  • /plugin/extra/page

Username placeholder

Some urls contain a dynamic username (e.g. for fetching data for a distinct user). For that you can add a placeholder in the url pattern and the plugin will check if you are allowed to see the given user.

This can be done by adding the key word {username} into your url

For example if you insert /plugin/sensitivedata/{username} the plugin will check visibilities for the value given instead if {username}.

If the url ist called with /plugin/sensitivedata/extranetuser1 the username is extranetuser1, if the caller is not allowed to see this user, the content will be blocked.

Furthermore it can be used with query parameters /plugin/userdata?username={username}, so visibility for extranetuser1 will be checked, if the url is called with /plugin/userdata?username=extranetuser1

  • No labels

This content was last updated on 02/25/2020.

This content hasn't been updated in a while. That doesn't have to be a problem. Some of our pages live for years without becoming obsolete. Please click this link if you want us to update this page. Old content can be incorrect, misleading or outdated. Please get in contact with us via a form on this page, our live chat or via email with if you are in doubt, have a question, suggestion, or want changes from us.