Userscripts for Confluence

Page tree

Versions Compared

Old Version 3

changes.mady.by.user Robert Reiner

Saved on

compared with

New Version Current

changes.mady.by.user Robert Reiner

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Document Properties Marker
doctypetopic
overridefalse


Short DescriptionUserscripts for Confluence supports the execution of Code script code in the browsers of users. It is important to understand the use cases to understand security implications.
NameSecurity Considerations
Short Name
Parent
Parent Property
property-nameName
hide
Audience

Name List
doctyperole
render-no-hits-as-blanktrue
render-list-as-comma-separated-valuestrue
namesConfluence Administrator, Userscripts Administrator
property-restrict-value-rangetrue
propertyAudienceempty-as-nonetrue


Subject
Name List
doctypesubject
propertySubject

Categories
Name List
doctypecategory
property-restrict-value-rangetrue
propertyCategories

Tags
Tag List
propertyTags

Flagshide
Iteration

Iteration
valuereleased

hide
Type
Name List
doctypetopic-type
render-no-hits-as-blanktrue
property-restrict-value-rangetrue
propertyType

Level of Experience

Name List
doctypeexperience-level
render-no-hits-as-blanktrue
namesAdvanced Beginner
propertyLevel of Experience


Expected Duration
Sponsors
Name List
doctypestakeholder,organization,person,role
render-no-hits-as-blanktrue
propertySponsors

Sort Keyhide


...

Section
titleScript Locations

Userscripts for Confluence allows to download JavaScript files either from a Confluence location or from a remote location.

The location of the JavaScript file is defined by the property named 

Static Document Link
documentScript
labelscript
.

Section
titleConfluence Location

The JavaScript files are typically added as Attachments to pages. Userscripts for Confluence checks that the file has the proper filename extension ".js" and that the file size is not larger than 1 mega byte.

To ensure that the JavaScript file is not manipulated by unprivileged users, the app only provides only files that are accessible by 

Static Document Link
documentConfluence Administrator
labelconfluence administrators
 or 
Static Document Link
documentUserscripts Administrator
labeluserscripts administrators
.

Therefore the page is required to allow only members of these groups to access files in write mode. If no restrictions are set on page level, the app requires that the space is only accessible by members of these two groups.

Caution Box

It is recommended to add JavaScript files only to dedicated spaces where only the mentioned groups have access to.

As space admin go to the Permissions tab of Space Tools.

Screenshot shows the recommended permission configuration for a space providing userscripts.Image Added

In the recommended permission configuration for a userscripts repository space, we do not allow individual users. If you want to have individual users with access privileges, make sure that all individual users listed on this page are members of either 

Static Document Link
documentConfluence Administrator
labelconfluence administrators
 or 
Static Document Link
documentUserscripts Administrator
labeluserscripts administrators

Disallow Anonymous Access.

Expand
titleAlternative with users having read access ...

If non administrators need to have read access, this is also a valid configuration.

Screenshot shows a permission configuration for a space to allow administrators write, users read access.Image Added

No user who is not a member of the administrators group is allowed to create, add or remove pages or add or remove attachments. Also no configuration of restrictions or space administration tasks are allowed. You may want to be more restrictive than the configuration shown above. From the Userscripts for Confluence point of view, users without administration privileges do not need access to the space.

Alternatively you may also configure the proper access restrictions at page level.

Note Not that the user services need to serve JavaScript files to users independent of their access privileges. Especially anonymous users may need to execute JavaScript code without access privileges to the attached JavaScript files.


Section
titleRemote Locations

If a script URL points to a remote location, then this URL is required to be listed in the Confluence whitelist. The filename is required to show the extension ".js" .

No further restrictions apply.


...

Section
titleScript Access

The script access is conducted in two steps.

  1. Static Document Link
    documentUserscripts Context Service
    : Calculates all applicable scripts and returns their links to the user's browser for execution
  2. Static Document Link
    documentUserscripts Service
    : Serve an individual script, which is cached for performance reasons

The access privileges are not checked by the context service. Only the script service checks that the access privileges are properly set.

On accessing the script other validation checks than privilege checks are not executed. These checks are only conducted when the script is stored to the database (either created or updated).

The original script URL is substituted with a local URL. Therefore the client will not access the backend system hosting the scripts.


Section
ignore-template-buttonstrue
titleSubordinate Topics


Hide From Reader

Create from template
blueprintModuleCompleteKeyde.smartics.atlassian.confluence.smartics-projectdoc-confluence-space-core:projectdoc-blueprint-doctype-topic
buttonLabelCreate Topic

Display Table
doctypetopic
render-no-hits-as-blanktrue
render-modedefinition
selectName, Short Description
restrict-to-immediate-childrentrue
sort-bySort Key, Name
render-classeschildren-table, display-table, children

...

Section
titleResources
intro-textMore information on this topic is available by the following resources.


Tour
render-no-hits-as-blanktrue
render-as-definition-listtrue
marker-column-property-nameTitle
replace-title-with-nametrue


TitleShort Description
Understanding Permission in ConfluenceConfluence has three levels of permission: Global Permissions, Space Permissions, and Page Restrictions. This article on Confluence Service Support discusses them.
Page RestrictionsPage restrictions allow to control who can view and/or edit individual pages in a space. This article on Confluence Service Support shows how to use page restrictions.
Configuring the WhitelistConfluence administrators can choose to allow incoming and outgoing connections. This article on Confluence Service Support provides information on the Confluence Whitelist.
Navigating to Space ToolsAn article on Confluence Service Support that shows how to find the Space Tools.
Space Permissions Overview

Every Confluence space has its own set of permissions which determine what people can do in the space. This article on Confluence Service Support shows the configuration options for space permissions.




About

This site is maintained by smartics.

Imprint / Impressum

Data Privacy / Datenschutz 

End User License Agreement (EULA)


To get in touch please send us an e-mail!

smartics email

Keep up-to-date!

Read our

smartics Blog

Follow us on

Twitter YouTube Prezi

Find us on

Bitbucket GitHub Atlassian Marketplace

Powered by




© 2001-2023 smartics - Kronseder & Reiner GmbH