Overview of assigned rights/roles for books, chapters, pages needed for security #1414

New Issue

OVERLORD · 2026-02-05T00:50:12+03:00

OVERLORD commented

2026-02-05 00:50:12 +03:00

Originally created by @Wookbert on GitHub (Oct 23, 2019).

Describe the feature you'd like
If I see it correctly, the way to make some content only available to some users, is to
Step 1) Create a role where only own content can be viewed, updated, deleted
Step 2) Assign that role (only) to the particular user
Step 3) Manage the rights of the book/chapter/page in mind on an individual level and assigning view rights etc. for the role created in step 1.

The big problem I see here, is that there is currently ZERO oversight in which content can be seen/updated/deleted by which user.

Imagine having a lot of content and many users ... with not all content meant to be seen by all users. Currently one has to check the rights/permissions book by book, chapter by chapter, page by page (if one assumes that one is actively using permissions and there’s perhaps more than one admin).

This is a security nightmare! So what’s badly needed is some sort of permissions overview or filter, showing which user can see/create/update/delete which content where. This should be of course visible to the Admins only.

The difficulty here is to come up with a handy design, as a simple table with books/chapters/page in X and users/rights in Y would/could end up in an insanely huge table.

A simplistic design would be to have a page which shows all book titles, whereas each book has a list of all user names which have any right to either the particular book itself in whole, a chapter or page within it. The admin then can click onto the book title to inspect the permissions in detail.

Describe the benefits this feature would bring to BookStack users
Security. Avoidance of the wrong people seeing content not meant for their eyes.

Originally created by @Wookbert on GitHub (Oct 23, 2019). **Describe the feature you'd like** If I see it correctly, the way to make some content only available to some users, is to Step 1) Create a role where only **_own_** content can be viewed, updated, deleted Step 2) Assign that role (only) to the particular user Step 3) Manage the rights of the book/chapter/page in mind on an individual level and assigning view rights etc. for the role created in step 1. The big problem I see here, is that there is currently ZERO oversight in which content can be seen/updated/deleted by which user. Imagine having a lot of content and many users ... with not all content meant to be seen by all users. Currently one has to check the rights/permissions book by book, chapter by chapter, page by page (if one assumes that one is actively using permissions and there’s perhaps more than one admin). **This is a security nightmare!** So what’s badly needed is some sort of permissions overview or filter, showing which user can see/create/update/delete which content where. This should be of course visible to the Admins only. The difficulty here is to come up with a handy design, as a simple table with books/chapters/page in X and users/rights in Y would/could end up in an insanely huge table. A simplistic design would be to have a page which shows all book titles, whereas each book has a list of all user names which have any right to either the particular book itself in whole, a chapter or page within it. The admin then can click onto the book title to inspect the permissions in detail. **Describe the benefits this feature would bring to BookStack users** Security. Avoidance of the wrong people seeing content not meant for their eyes.

OVERLORD commented

2026-02-05 00:50:16 +03:00

@Wookbert commented on GitHub (Oct 23, 2019):

Here’s an actually working Table of Content page my partner has created, to which we've added a user-filter, so we as admins can see who has access to what. Unaccessible content is ghosted and stroke through.

Usually we are also showing the headlines of each page as part of the Table of Contents (see the screenshot in my comment to issue# 616), but we've added a checkbox to hide those for the permissions view.

Although it's working, it is still in work in progress.

@Wookbert commented on GitHub (Oct 23, 2019): Here’s an actually working Table of Content page my partner has created, to which we've added a user-filter, so we as admins can see who has access to what. Unaccessible content is ghosted and stroke through. Usually we are also showing the headlines of each page as part of the Table of Contents (see the screenshot in [my comment to issue# 616](https://github.com/BookStackApp/BookStack/issues/616#issuecomment-541363506)), but we've added a checkbox to hide those for the permissions view. Although it's working, it is still in work in progress. ![Bildschirmfoto 2019-10-22 um 23 39 16](https://user-images.githubusercontent.com/3104762/67337117-c1c53500-f526-11e9-91d0-b7471d070b5f.png) ![Bildschirmfoto 2019-10-22 um 23 46 43](https://user-images.githubusercontent.com/3104762/67337133-c689e900-f526-11e9-8cfc-3d90a6f56038.png)

OVERLORD commented

2026-02-05 00:50:22 +03:00

@CodeCommander commented on GitHub (Aug 29, 2020):

This looks really useful. Do you have a PR?

@CodeCommander commented on GitHub (Aug 29, 2020): This looks really useful. Do you have a PR?

OVERLORD commented

2026-02-05 00:50:25 +03:00

@Wookbert commented on GitHub (Aug 29, 2020):

This looks really useful. Do you have a PR?

PR like Pull Request?

@Wookbert commented on GitHub (Aug 29, 2020): > This looks really useful. Do you have a PR? PR like Pull Request?

OVERLORD commented

2026-02-05 00:50:29 +03:00

@xsylx commented on GitHub (Aug 9, 2021):

@Wookbert : Does this fonctionnality has been raised to the BS code ? It's very useful and i would like to ask that fonctionnality, but you already do it ! :)

I think an other way to do that (perhaps easier) is to have "login as" function for admin users who wants to be in place of the end user for testing purpose.

@xsylx commented on GitHub (Aug 9, 2021): @Wookbert : Does this fonctionnality has been raised to the BS code ? It's very useful and i would like to ask that fonctionnality, but you already do it ! :) I think an other way to do that (perhaps easier) is to have "login as" function for admin users who wants to be in place of the end user for testing purpose.

OVERLORD commented

2026-02-05 00:50:33 +03:00

@dexamenos commented on GitHub (Aug 9, 2021):

@SylvainGuibert unluckily, we have not created a PR

Our solution where above mentioned screenshots are taken from is actually a bloody hack running on a separate, virtual Apache, "location" (i.e. URL) is "blended" into/over BS installation; for the rights overview, we are scanning the BS SQL database. Security is -- again -- hacked by scanning the cache files with the auth tokens on the server directory. So not any kind of future proof towards any changes @ssddanbrown might do to the SQL structure or auth backend.

Besides, we do not have any knowledge of Laravel and composer, which is why it never ended into a PR.

However, having it in the BS code base would be more than welcome on our side. We might share the code however, if you would be able to bring it into BS code base. Lots of custom paths, SQL credentials etc. from our installation though.

@dexamenos commented on GitHub (Aug 9, 2021): @SylvainGuibert unluckily, we have not created a PR Our solution where above mentioned screenshots are taken from is actually a bloody hack running on a separate, virtual Apache, "location" (i.e. URL) is "blended" into/over BS installation; for the rights overview, we are scanning the BS SQL database. Security is -- again -- hacked by scanning the cache files with the auth tokens on the server directory. So not any kind of future proof towards any changes @ssddanbrown might do to the SQL structure or auth backend. Besides, we do not have any knowledge of Laravel and composer, which is why it never ended into a PR. However, having it in the BS code base would be more than welcome on our side. We might share the code however, if you would be able to bring it into BS code base. Lots of custom paths, SQL credentials etc. from our installation though.

OVERLORD commented

2026-02-05 00:50:35 +03:00

@xsylx commented on GitHub (Aug 10, 2021):

@dexamenos : Thanks for your answer. Unfortunaly i haven't knoledge too for Laravel and composer :(

I'm still agree with you, this kind of functionnality on the BS source code could be great idea . Sometimes we need to be sure that's some shelve / books / chapter are not shared arroud all users !

@xsylx commented on GitHub (Aug 10, 2021): @dexamenos : Thanks for your answer. Unfortunaly i haven't knoledge too for Laravel and composer :( I'm still agree with you, this kind of functionnality on the BS source code could be great idea . Sometimes we need to be sure that's some shelve / books / chapter are not shared arroud all users !

OVERLORD referenced this issue

2026-02-05 10:19:59 +03:00

[PR #1826] [MERGED] Baseline API Implementation #5902

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#1414