Hide wiki markup – Confluence user macro
by David. Average Reading Time: about 2 minutes.
Update: 2011-09-20 With the release of Confluence 4.0, this post obsolete.
A simple Confluence user macro to hide access to the View Wiki Markup menu link…
{hide-wiki-markup}
One thing I love about Confluence is the way that you can browse other people’s pages and steal their superior layout ideas for your own wiki pages.
It’s dead easy to do. Go to the Tools drop down menu and click on the View Wiki Markup link. A new window will open containing the wiki markup for the page. You can now copy the bits you like and discard the rest. Your friends and colleagues will be impressed by your wiki skills and you can continue on your path to becoming a wiki ninja.
But what if you don’t want to share those wiki markup skills?
That’s not very collaborative, I know. But there are entirely valid reasons that you’d wish to disable this feature.
An example of this is use of the {sql} plugin. This is a really powerful plugin that allows you to query databases and tabulate the results in Confluence. Wrap this in a {chart} macro and you have an instant graph. Nice work! There’s a great blog post at Atlassian that use this to great effect.
Security
However, using this kind of markup on a public website is a bad idea. Exposing the structure of your databases to people you don’t know and can’t trust is somewhat short sighted. On a company intranet, the risk is still there, but hopefully it is not so dangerous. Even so, it’s really best not to show this information in the first place.
What can we do about it?
The best solution would be additional security in the product that allows editors to prevent others from viewing wiki markup. It would probably go in the Restrictions screen. This does seem somewhat like a paranoid feature request, but call me paranoid.
Another way is to use Javascript to remove the link from the DOM. This is not a replacement for good security, but will stop the casual user from accessing the wiki markup.
It is easily done in a user macro:
As a Confluence administrator, go to Confluence Admin | User Macros and click on Create a User Macro.
Fill out the form…
Macro name: hide-wiki-markup
Output: Macro generates HTML markup
Template:
<script type="text/javascript">
jQuery('#action-view-source-link').parent().hide(); /*Updated from .remove(); Aug 2010*/
</script>
(My last name is Nonnenmacher BTW, but your comment form doesn’t allow me to write my full name, well, in full. Surely the bytes don’t come cheap those days so one has to limit them—just kidding, no worries
Nice, but that won’t prevent anyone to see the page source via the page Info menu. Or will it?
Ideally, Confluence could provide a way to lock source view on a specific page. Meanwhile, another workaround is to restrict access to the sensitive page, but include its result in another page with the include macro, so that people can view the rendered result, but not the original wiki markup.
François:I’ve been looking at writing a security plugin to fix up security on a per space basis. This could do a number of things such as enable SSL and restrict the view wiki markup option. It’s all a bit of an experiment at the moment, so don’t expect anything just yet
I’d also really like a simple admin option to enable/disable SSL on the login page too. I think this is sorely missing. Configuring SSL in Tomcat is reasonably easy, but enabling it in the application is surely more straightforward.
I have noticed, that if I remove() links from the menu the mouse overs in the menu can get messed up. Have you experienced this, too?
As a workaround i am using hide().
-Stefan
PS: My name is too long, too..
Stefan: Thanks. I’ve updated it to use .hide() instead.
Maybe I’ll have to change the theme to allow larger names.
We use Bob Swift’s Macro Security Plugin in our Confluence. Works fine! See https://plugins.atlassian.com/plugin/details/130?versionId=479 for details.