- Created by Seibert Media employee, last modified by Administrator on Feb 13, 2019
See the documentation for your Release
Table of Contents
Custom Filter
URL filter configuration
404 - Page not found
Add a custom filter
We did our best to secure every sensitive user data within Confluence and Linchpin. But there are many third-party plugins which provide their own resources and may expose too much information in an extranet.
Therefore we implemented the possibility to secure those resources by simply blocking them for extranet users.
This means the url is blocked, if the user
- is assigned to at least one extranet AND
- is not a user or space manager in at least one extranet AND
- is not a Confluence administrator AND
- the visibility configuration is set to "Global and Space Administrators and Extranet User Managers"
To add a custom filter simply insert the url to be blocked into the URL input field. You may skip the base url and the context path.
For example insted of http://yourinstance.de/confluence/browsepeople.action you may simply insert /browsepeople.action
There are certain urls that are not able to be blocked, as they may break your Confluence instance:
- /admin/*
- /download/*
- /images/*
- /plugins/servlet/upm
Blocking in this case means, that the user gets a "404 - Page not found" error (not "No Permission" error). This way there is no information exposed about the existence of a resource.
Use a Wildcard
For blocking several branches of the same url you may use wildcards (asteriks).
For example if you insert /plugin/example* the following urls will be blocked
- /plugin/example
- /plugin/example/page
- /plugin/example/page/childpage
These urls will NOT be blocked
- /plugin/extra
- /plugin/extra/page
Username placeholder
Some urls contain a dynamic username (e.g. for fetching data for a distinct user). For that you can add a placeholder in the url pattern and the plugin will check if you are allowed to see the given user.
This can be done by adding the key word {username} into your url
For example if you insert /plugin/sensitivedata/{username} the plugin will check visibilities for the value given instead if {username}.
If the url ist called with /plugin/sensitivedata/extranetuser1 the username is extranetuser1, if the caller is not allowed to see this user, the content will be blocked.
Furthermore it can be used with query parameters /plugin/userdata?username={username}, so visibility for extranetuser1 will be checked, if the url is called with /plugin/userdata?username=extranetuser1
- No labels
This content was last updated on 02/13/2019.
This content hasn't been updated in a while. That doesn't have to be a problem. Some of our pages live for years without becoming obsolete.
Old content can be incorrect, misleading or outdated. Please get in contact with us via a form on this page, our live chat or via email with content@seibert.group if you are in doubt, have a question, suggestion, or want changes from us.