A custom content that has a page (or presumably any other content type) as its container can be created in a different space than its container. Assuming I want to attach a custom content of type ac:test:test to a page 123 in space A, I can create that custom content in space B:
fetch('/wiki/rest/api/content', {
method: 'POST',
headers: { 'Content-type': 'application/json' },
body: JSON.stringify({
title: 'Test',
type: 'ac:test:test',
space: { key: 'B' },
container: { id: '123', type: 'page' }
})
});
The custom content is now part of space B even though its container is part of space A.
I don’t know if there are any serious consequences of this glitch. I tried around a bit whether I could exploit it to circumvent permission checks, but haven’t been able to do so. It seems that it only checks the permissions in space A, not in space B, but still fails if I don’t have permission to create custom content objects in space B because it tries to add the editor content property, which fails if the permissions are missing.