starred/BookStack
1
0
Fork 0
mirror of https://github.com/BookStackApp/BookStack.git synced 2026-02-05 00:29:48 +03:00
Code Issues 305 Packages Projects Releases 10 Wiki Activity

Securyty croup acces restrictons #1434

New Issue
Closed
opened 2026-02-05 00:53:13 +03:00 by OVERLORD · 3 comments
OVERLORD commented 2026-02-05 00:53:13 +03:00
Owner
Copy Link

Originally created by @GamerClassN7 on GitHub (Nov 1, 2019).

Hi
First of all thanks for writing this amazing app :)

I have a question i use as authentication method to log in LDAP.
An even vith LDAP_GROUPS_ENABLED and groups external name specified all users from my AD are able to login regardless of their Group member ship is there any way how to disable login to users without SG ?

And other question whit is missing from docs. Is there any way how to delete Guest User and Public group ?

Thanks for any answer :)

Originally created by @GamerClassN7 on GitHub (Nov 1, 2019). Hi First of all thanks for writing this amazing app :) I have a question i use as authentication method to log in LDAP. An even vith LDAP_GROUPS_ENABLED and groups external name specified all users from my AD are able to login regardless of their Group member ship is there any way how to disable login to users without SG ? And other question whit is missing from docs. Is there any way how to delete Guest User and Public group ? Thanks for any answer :)
OVERLORD added the 🚪 Authentication Question labels 2026-02-05 00:53:13 +03:00
OVERLORD commented 2026-02-05 00:53:42 +03:00
Author
Owner
Copy Link

@ssddanbrown commented on GitHub (Nov 15, 2019):

Hi @GamerClassN7,
Sorry for my late response.

LDAP Groups

LDAP group sync does not control access itself. There are a couple of options to do what you're trying to achieve:

  • Update your LDAP_USER_FILTER value to be specific to only the users you allow to log into BookStack. BookStack searches for users using this so, if it does not match during a login attempt, the user should not be allowed in.
  • Allow login of these users but change the "Default Registration Role" in the settings area to be a role without any permissions.

Guest User & Public Role

No way to delete these since they power the public view system. Unless you've used these elsewhere, They are effectively not used if the "Public Access" setting is disabled. If you want to be safe, You can also remove all permission from the "Public" role to prevent any content being seen if the public setting is ever accidentally enabled.

@ssddanbrown commented on GitHub (Nov 15, 2019): Hi @GamerClassN7, Sorry for my late response. ### LDAP Groups LDAP group sync does not control access itself. There are a couple of options to do what you're trying to achieve: - Update your `LDAP_USER_FILTER` value to be specific to only the users you allow to log into BookStack. BookStack searches for users using this so, if it does not match during a login attempt, the user should not be allowed in. - Allow login of these users but change the "Default Registration Role" in the settings area to be a role without any permissions. ### Guest User & Public Role No way to delete these since they power the public view system. Unless you've used these elsewhere, They are effectively not used if the "Public Access" setting is disabled. If you want to be safe, You can also remove all permission from the "Public" role to prevent any content being seen if the public setting is ever accidentally enabled.
OVERLORD commented 2026-02-05 00:53:45 +03:00
Author
Owner
Copy Link

@GamerClassN7 commented on GitHub (Nov 28, 2019):

Yes, i figure out all this think :)

But my superiors aren't happy that anyone in OU can login even that he see nothing now i setup 3 AD groups which are mapped to Viewer, Admin, Editor groups in wiki. But would be nice to have some solid like stone switch how to completely disable public group or at least give admin a permission to delete it. :) your project is analysing and with this (corporate like feature) would more and more companys. :)

@GamerClassN7 commented on GitHub (Nov 28, 2019): Yes, i figure out all this think :) But my superiors aren't happy that anyone in OU can login even that he see nothing now i setup 3 AD groups which are mapped to Viewer, Admin, Editor groups in wiki. But would be nice to have some solid like stone switch how to completely disable public group or at least give admin a permission to delete it. :) your project is analysing and with this (corporate like feature) would more and more companys. :)
OVERLORD commented 2026-02-05 00:53:47 +03:00
Author
Owner
Copy Link

@ssddanbrown commented on GitHub (Mar 14, 2020):

Sorry for only coming back to this now.

But my superiors aren't happy that anyone in OU can login even that he see nothing now i setup 3 AD groups which are mapped to Viewer, Admin, Editor groups in wiki.

I'm not overly familiar with AD, But I'm pretty sure you could update your LDAP_USER_FILTER to check the same groups, so something along the lines of:

(&(<current_criteria>)(|(memberof=<group_1>)(memberof=<group_2>)(memberof=<group_3>)))

But would be nice to have some solid like stone switch how to completely disable public group or at least give admin a permission to delete it.

I guess it would provide some re-assurance but allow actual full deletion while still providing a route to re-enable in the future would get tricky.

Since the original questions here has been answered I'll close this off.

@ssddanbrown commented on GitHub (Mar 14, 2020): Sorry for only coming back to this now. > But my superiors aren't happy that anyone in OU can login even that he see nothing now i setup 3 AD groups which are mapped to Viewer, Admin, Editor groups in wiki. I'm not overly familiar with AD, But I'm pretty sure you could update your `LDAP_USER_FILTER` to check the same groups, so something along the lines of: ``` (&(<current_criteria>)(|(memberof=<group_1>)(memberof=<group_2>)(memberof=<group_3>))) ``` > But would be nice to have some solid like stone switch how to completely disable public group or at least give admin a permission to delete it. I guess it would provide some re-assurance but allow actual full deletion while still providing a route to re-enable in the future would get tricky. --- Since the original questions here has been answered I'll close this off.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
🎨 Design
📖 Docs Update
🐛 Bug
🐛 Bug
:cat2:🐈 Possible duplicate
💿 Database
Open to discussion
💻 Front-End
🐕 Support
🚪 Authentication
🌍 Translations
🔌 API Task
🏭 Back-End
Upstream
🔨 Feature Request
🛠️ Enhancement
🛠️ Enhancement
🛠️ Enhancement
❤️ Happy feedback
🔒 Security
🔍 Pending Validation
💆 UX
📝 WYSIWYG Editor
🌔 Out of scope
🔩 API Request
:octocat: Admin/Meta
🖌️ View Customization
Question
🚀 Priority
🛡️ Blocked
🚚 Export System
A11y
🔧 Maintenance
> Markdown Editor
No Label 🚪 Authentication Question
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/BookStack#1434
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?