confluencebuilder

confluencebuilder copied to clipboard

Could you please elaborate on the minimum access requirements the Sphinx for Confluence account needs to publish/delete pages. I created a separate user with a PAT and granted it full admin access to a particular space.

While debugging the first request is successful (HTTP 200) the second request results in a HTTP 403.

DEBUG:urllib3.connectionpool:https://CONFSERVER:443 "GET /rest/api/space?spaceKey=TAT&limit=1 HTTP/1.1" 200 None DEBUG:urllib3.connectionpool:https://CONFSERVER:443 "GET /rest/api/search?cql=type%3Dspace+and+space.title~%22TEST%22&limit=2 HTTP/1.1" 403 None

The second REST request is accessible for a different account but as this has privileged access, it is difficult to determine which right to grant the Sphinx account.

PS It does not seem right to search for space.title as space.title and spacekey are usually different. Changing confluence_space_key in conf.py to the actual space.title still resulted in a 403 which rules out a potential problem there.

Any suggestions would be highly appreciated.

The initial "successful" request (200) is a bit misleading. The first request will search for a space with a key value TAT for the configured user/PAT. While the request for the space has been successfully invoked, it is reporting that no space key exists ("200 None"). This is either:

• The space with the key TAT does not exist on the Confluence instance; or,
• The user requesting the search does not have permission to view the Confluence instance.

In this case, it appears that it would be the latter case, since the fallback search request results in an authentication issue. Note that the secondary search request only occurs if the first space search attempt fails. It's purpose is solely used to help find possible other spaces with similar matching names based off the configured space key. The choice of the space's title value was used in this case over the space's key value. I would agree that both are completely different, but Confluence's search API does not provide a way to wildcard search on space keys (please, correct me if I am wrong here). The main reason why the alternative search was added was that a couple of times, users reported configuration issues only to find out that they copied-pasted the space's title value, over the key value -- this was an attempt to help present a more descriptive error case to these users.

I have always found it interesting that an explicit search API call (/wiki/rest/api/search) can throw an authentication error, but a space search (/wiki/rest/api/space) will not. I am sure Atlassian has its reasons for this.

As for permission settings, it is important that the users is given access (or is part of the group) with the following options checked for a site:

• Space - View
• Page - Add, Delete
• Attachments - Add, Delete

Note that even if a user is given "Admin" access, does not mean the user has permission to edit pages (although, I would assume search requests should be succeeding). If a user is configured with the above permissions and has a PAT matching the value set in confluence_publish_token (and other authentication options are not used, such as confluence_server_user), authentication should succeed. If it does not, the only other thing I can think of off hand is that a proxy is being used and the Authorization header is not being forwarded to Confluence.

Two updates have been made associated with this issue. First, the implementation has been updated for users running a debug mode to clarify what is happening (if users see one request pass, another fail, debug logs will reflect why this is to help advanced users understand the URL response codes). Second, a new Publishing permissions section has been added into the documentation to provide clarity to users/system administrators on the permissions needed for this extension.

Hopefully this provides additional information to users related to access requirements. Marking as closed.