Pictures permission with copy paste not set #1049

New Issue

Closed

opened 2026-02-04 23:34:56 +03:00 by OVERLORD · 3 comments

OVERLORD commented 2026-02-04 23:34:56 +03:00

Owner

Copy Link

Originally created by @JtheBAB on GitHub (Feb 19, 2019).

Originally assigned to: @ssddanbrown on GitHub.

Describe the bug
When a user add directly with copy & paste in the editor a picture, the picture is visible for all users.

Steps To Reproduce
Steps to reproduce the behavior:

1. Create two role that allows only to edit / delete own images and add user A to role A and user B to role B
2. login with user A
3. Create or edit a page
4. Copy a picture with copy and paste
5. save the page
6. login with user B
7. Create or edit a page
8. Insert a picture
9. You will see the picture from User A

Expected behavior
User B shouldn't see the picture of User A.
When the User A uses the picture upload function, then User B can't see the picture that User A uploaded.

Your Configuration (please complete the following information):

• Exact BookStack Version (Found in settings): v0.25.1
• PHP Version: 7.3
• Hosting Method (Nginx/Apache/Docker): Apache

Originally created by @JtheBAB on GitHub (Feb 19, 2019). Originally assigned to: @ssddanbrown on GitHub. **Describe the bug** When a user add directly with copy & paste in the editor a picture, the picture is visible for all users. **Steps To Reproduce** Steps to reproduce the behavior: 1. Create two role that allows only to edit / delete own images and add user A to role A and user B to role B 2. login with user A 3. Create or edit a page 4. Copy a picture with copy and paste 5. save the page 6. login with user B 7. Create or edit a page 8. Insert a picture 9. You will see the picture from User A **Expected behavior** User B shouldn't see the picture of User A. When the User A uses the picture upload function, then User B can't see the picture that User A uploaded. **Your Configuration (please complete the following information):** - Exact BookStack Version (Found in settings): v0.25.1 - PHP Version: 7.3 - Hosting Method (Nginx/Apache/Docker): Apache

OVERLORD added the 🐛 Bug🚀 Priority🔒 Security labels 2026-02-04 23:34:56 +03:00

OVERLORD closed this issue 2026-02-04 23:34:59 +03:00

OVERLORD commented 2026-02-04 23:35:04 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Feb 20, 2019):

Hi @JtheBAB,
Thank you for clearly defining this issue.

So image permissions are a little complex as visibility will depend on configuration, context and permissions.

Configuration

By default in BookStack, for performance reasons, images are put into public space where auth is not required. You can alternatively configure this to store such images in a local folder that's not within public space (local_secure option). Details of this can be found in the docs here.

Context & Permissions

As mentioned in the roles screen when selecting image permissions, view permissions are controlled by the assets they are uploaded to. This visibility primarily is in reference to the list shown in the image manager.

General access visibility, when an image is used in a page or copied across pages, is not checked since this level of permission checking would require a fair bit of extra complexity when page content is shown.

Perhaps we need to update the wording used in the roles view to clarify this.

@ssddanbrown commented on GitHub (Feb 20, 2019): Hi @JtheBAB, Thank you for clearly defining this issue. So image permissions are a little complex as visibility will depend on configuration, context and permissions. ### Configuration By default in BookStack, for performance reasons, images are put into public space where auth is not required. You can alternatively configure this to store such images in a local folder that's not within public space (`local_secure` option). Details of this [can be found in the docs here](https://www.bookstackapp.com/docs/admin/upload-config/#local-secure). ### Context & Permissions As mentioned in the roles screen when selecting image permissions, view permissions are controlled by the assets they are uploaded to. This visibility primarily is in reference to the list shown in the image manager. General access visibility, when an image is used in a page or copied across pages, is not checked since this level of permission checking would require a fair bit of extra complexity when page content is shown. Perhaps we need to update the wording used in the roles view to clarify this.

OVERLORD commented 2026-02-04 23:35:10 +03:00

Author

Owner

Copy Link

@JtheBAB commented on GitHub (Feb 20, 2019):

Hi @ssddanbrown

As i wrote, the permission system for images is working fine. But only when you upload the pictures with "Insert a Image" and then upload the image with "Drop images or click here to upload".

When you just copy the image and paste it directly into your text, the permission system is not working.

Edit:
To be clear. I use the local_secure option. What i mean with the picture can be seen is when you open "Insert a Image" you can see the pictures from other users that are copy pasted but only this images.

@JtheBAB commented on GitHub (Feb 20, 2019): Hi @ssddanbrown As i wrote, the permission system for images is working fine. **But** only when you upload the pictures with "Insert a Image" and then upload the image with "Drop images or click here to upload". When you just copy the image and paste it directly into your text, the permission system is not working. Edit: To be clear. I use the local_secure option. What i mean with the picture can be seen is when you open "Insert a Image" you can see the pictures from other users that are copy pasted but only this images.

OVERLORD commented 2026-02-04 23:35:17 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Feb 20, 2019):

@JtheBAB Ah, Thanks for clarifying. Sorry for misunderstanding.

Have marked as a priority for the next release. Good find!

@ssddanbrown commented on GitHub (Feb 20, 2019): @JtheBAB Ah, Thanks for clarifying. Sorry for misunderstanding. Have marked as a priority for the next release. Good find!

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

development

l10n_development

further_theme_development

release

llm_only

vectors

v25-11

docker_env

drawio_rendering

user_permissions

ldap_host_failover

svg_image

prosemirror

captcha_example

fix/video-export

v25.12.3

v25.12.2

v25.12.1

v25.12

v25.11.6

v25.11.5

v25.11.4

v24.11.4

v25.11.3

v25.11.2

v25.11.1

v25.11

v25.07.3

v25.07.2

v25.07.1

v25.07

v25.05.2

v25.05.1

v25.05

v25.02.5

v25.02.4

v25.02.3

v25.02.2

v25.02.1

v25.02

v24.12.1

v24.12

v24.10.3

v24.10.2

v24.10.1

v24.10

v24.05.4

v24.05.3

v24.05.2

v24.05.1

v24.05

v24.02.3

v24.02.2

v24.02.1

v24.02

v23.12.3

v23.12.2

v23.12.1

v23.12

v23.10.4

v23.10.3

v23.10.2

v23.10.1

v23.10

v23.08.3

v23.08.2

v23.08.1

v23.08

v23.06.2

v23.06.1

v23.06

v23.05.2

v23.05.1

v23.05

v23.02.3

v23.02.2

v23.02.1

v23.02

v23.01.1

v23.01

v22.11.1

v22.11

v22.10.2

v22.10.1

v22.10

v22.09.1

v22.09

v22.07.3

v22.07.2

v22.07.1

v22.07

v22.06.2

v22.06.1

v22.06

v22.04.2

v22.04.1

v22.04

v22.03.1

v22.03

v22.02.3

v22.02.2

v22.02.1

v22.02

v21.12.5

v21.12.4

v21.12.3

v21.12.2

v21.12.1

v21.12

v21.11.3

v21.11.2

v21.11.1

v21.11

v21.10.3

v21.10.2

v21.10.1

v21.10

v21.08.6

v21.08.5

v21.08.4

v21.08.3

v21.08.2

v21.08.1

v21.08

v21.05.4

v21.05.3

v21.05.2

v21.05.1

v21.05

v21.04.6

v21.04.5

v21.04.4

v21.04.3

v21.04.2

v21.04.1

v21.04

v0.31.8

v0.31.7

v0.31.6

v0.31.5

v0.31.4

v0.31.3

v0.31.2

v0.31.1

v0.31.0

v0.30.7

v0.30.6

v0.30.5

v0.30.4

v0.30.3

v0.30.2

v0.30.1

v0.30.0

v0.29.3

v0.29.2

v0.29.1

v0.29.0

v0.28.3

v0.28.2

v0.28.1

v0.28.0

v0.27.5

v0.27.4

v0.27.3

v0.27.2

v0.27.1

v0.27

v0.26.4

v0.26.3

v0.26.2

v0.26.1

v0.26.0

v0.25.5

v0.25.4

v0.25.3

v0.25.2

v0.25.1

v0.25.0

v0.24.3

v0.24.2

v0.24.1

v0.24.0

v0.23.2

v0.23.1

v0.23.0

v0.22.0

v0.21.0

v0.20.3

v0.20.2

v0.20.1

v0.20.0

v0.19.0

v0.18.5

v0.18.4

v0.18.3

v0.18.2

v0.18.1

v0.18.0

v0.17.4

v0.17.3

v0.17.2

v0.17.1

v0.17.0

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.13.1

v0.13.0

v0.12.2

v0.12.1

v0.12.0

v0.11.2

v0.11.1

v0.11.0

v0.10.0

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.2

v0.8.1

v0.8.0

v0.7.6

v0.7.5

v0.7.4

v0.7.3

0.7.2

v.0.7.1

v0.7.0

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.0

Labels

Clear labels

🎨 Design

📖 Docs Update

🐛 Bug

🐛 Bug

:cat2:🐈 Possible duplicate

💿 Database

☕ Open to discussion

💻 Front-End

🐕 Support

🚪 Authentication

🌍 Translations

🔌 API Task

🏭 Back-End

⛲ Upstream

🔨 Feature Request

🛠️ Enhancement

🛠️ Enhancement

🛠️ Enhancement

❤️ Happy feedback

🔒 Security

🔍 Pending Validation

💆 UX

📝 WYSIWYG Editor

🌔 Out of scope

🔩 API Request

:octocat: Admin/Meta

🖌️ View Customization

❓ Question

🚀 Priority

🛡️ Blocked

🚚 Export System

♿ A11y

🔧 Maintenance

> Markdown Editor

No Label 🐛 Bug 🔒 Security 🚀 Priority

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#1049