Forbidden to find trashed content using REST API

When making a request for trashed content (e.g. /wiki/rest/api/content?type=page&spaceKey=TEST&status=trashed) using either the AP.request module from the browser, or using user impersonation when making REST API calls from a backend service, I am consistently getting a 403 Forbidden response, despite the fact that the current user in both scenarios can view trashed content in the relevant space.

Anybody from the Confluence REST API team able to help?

1 Like

I’ve tried this on several different Confluence Cloud instances to rule out strange permission configurations, and got nowhere. @dmorrow, @rwhitbeck or @nmansilla are you able to flag this with someone who works on Confluence? It’s broken in production for my app…

Sorry for the lack of response. I did bring this up with the team last Thursday. I’ll follow up again.

The team pointed me to some internal discussions … looks like the API is mimicking the same functionality as seen in the UI. Only Space Admins have the ability to restore trashed pages and thus the ability to see this content is limited.

Trashed content has been thrown away (put still retrievable by space admins). It shouldn’t be able to still be accessible by users or collaborators.

This is working as intended.

Hey Ralph,

Apologies if I wasn’t clear. When making the API request mentioned as a space admin using AP.request or using user impersonation authentication against the REST API from a backend service, I am unable to retrieve trashed pages that I am able to view in the UI.

Here’s some screenshots that may help:

The team has raised https://jira.atlassian.com/browse/CONFCLOUD-70441 due to your report. You can follow this issue there.

It looks like the issue was closed and reopened several times back in July but is now marked as Fixed. I’m not sure how the behaviour of this has changed in the last months, but today I stumbled across this issue, and it turns out we also got a support request for it last week.

Trying to access or purge any trashed content as any space/product admin user ends with a 403 Forbidden error with the message com.atlassian.confluence.api.service.exceptions.PermissionException: User not permitted to read trashed or deleted content.