Skip to main content
Skip table of contents

Can API be used by non-privileged users to falsely approve or reject Confluence pages?


This article will cover points around:

  • Limitation of users that can approve a page

  • Highlight the application intent


To help understand the impact if API can act out of character, we would first need to understand the following points :

  • How is approval data stored?

    • All page approval data is stored against content-property module provided by Atlassian, ref: Content Property.

  • Who can modify content property?

    • Users who can see the page can query the approval data

    • Users who can edit the page can modify the approval data

Based on the above, it is essential to understand that, as users, you can mutate the approval data (via API) if you have permission to modify the page.

Modification is possible since the storage data is an extension of page content from a view/edit perspective. You can still modify the page content after the page has been approved (i.e., the content will not be locked down).

The Page Approval for Cloud app is meant to be helpful in a non-stringent approval process with its current architecture.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.