Last updatedMar 29, 2018

How do I tell if a user has permission to...?

When you write a Confluence plugin, it's important to check that a user has permission to do the operations your plugin performs. Confluence does not enforce security for you, it's up to your code to perform these checks.

There are two places you might want to check permissions:

  • In Java code
  • In Velocity templates

Check permissions in Java code

You will need the following:

The PermissionManager has quite a few methods (Javadoc), but the most important are:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
/**
 * Determine whether a user has a particular permission against a given target.
 *
 * @param user the user seeking permission, or null if the anonymous user is being checked against
 * @param permission the permission to check
 * @param target the object that the permission is being checked against. If this object is null, the method
 *        will return false
 * @return true if the user has this permission, false otherwise
 * @throws IllegalStateException if the permission being checked against does not apply to the target
 */
boolean hasPermission(User user, Permission permission, Object target);

/**
 * Determine whether a user has permission to create an entity of a particular type within a given container.
 *
 * <p>The container is the natural container of the object being created. For example, a comment is contained
 * in a page, which is contained within TARGET_APPLICATION.
 *
 * @param user the user seeking permission, or null if the anonymous user is being checked against
 * @param container the target that the object is being created within. If this object is null, the method
 *        will return false
 * @param typeToCreate the type of object being created (see above)
 * @return true if the user has permission, false otherwise
 * @see com.atlassian.confluence.core.ContentEntityObject#getType()
 * @throws IllegalStateException if the permission being checked against does not apply to the target
 */
boolean hasCreatePermission(User user, Object container, Class typeToCreate);

Simple Permissions

Generally you will ask a question like this: "Does some user have permission to do something to some target?" For example: "Does BOB have permission to VIEW this PAGE?", "Does JANE have permission to REMOVE this ATTACHMENT?" These questions are mapped to the hasPermission() method mentioned previously.

Various values of "something" are all constants of the Permission class listed in this Javadoc. At the time this document is written, the permission 'verbs' are:

1
2
3
4
5
6
Permission.VIEW
Permission.EDIT
Permission.EXPORT
Permission.REMOVE
Permission.SET_PERMISSIONS
Permission.ADMINISTER

To check if your user has permission to edit a particular page, the call is:

1
permissionManager.hasPermission(myUser, Permission.EDIT, thePage)

For global permissions, the 'target object' is considered to be the Confluence application itself. There is a special target, TARGET_APPLICATION, that represents the application as a whole. So, to check if someone is a global administrator, the call is:

1
permissionManager.hasPermission(myUser, Permission.ADMINISTER, PermissionManager.TARGET_APPLICATION

Create permissions

Checking if someone can create an object (page, blogpost, space, etc.) is a little more complicated. Every object is created inside another object. Comments and Attachments are created inside Pages or BlogPosts. Pages are created inside Spaces. And Spaces are created inside TARGET_APPLICATION.

To check if someone can create something, the question is: "Does this user have permission to create this KIND OF OBJECT, in this CONTAINER?" In Java, kinds of objects are represented by their class, so to see if a user can create a comment inside a particular page, you need to call the following:

1
permissionManager.hasCreatePermission(myUser, containingPage, Comment.class)

To check if the user has permission to create spaces globally, call the following:

1
permissionManager.hasCreatePermission(myUser, PermissionManager.TARGET_APPLICATION, Space.class)

Check permissions in Velocity templates

While all of the above is very powerful, it's a bit complicated to deal with it in a Velocity file. There is an object in the default velocity context called $permissionHelper that has a bunch of useful methods in it. All methods do pretty much what you'd expect them to do; so, here is a link to the Javadoc and a simple example:

1
2
3
#if ($permissionHelper.canEdit($authenticatedUser, $action.page))
    <b>You have Edit Permission for this Page</b>
#end