Restricted books visible in list view #1725

Closed
opened 2026-02-05 01:43:08 +03:00 by OVERLORD · 1 comment
Owner

Originally created by @Usinouv on GitHub (May 10, 2020).

Describe the bug
On the shelf view, in list view, it is possible to see all the books, including the ones you can't access.
However, the home screen displays only the good books.

Steps To Reproduce
Steps to reproduce the behavior:

  1. Giving restricted rights to a book
  2. Login with a user with restricted rights
  3. Click on "Shelves" from any page or add /shelves to the site url.
  4. Switch to list view

Expected behavior
Only authorized books should be visible whatever the view.

Your Configuration (please complete the following information):

  • Exact BookStack Version (Found in settings): 0.29.2
  • Hosting Method (Nginx/Apache/Docker): Docker - LinuxServer
Originally created by @Usinouv on GitHub (May 10, 2020). **Describe the bug** On the shelf view, in list view, it is possible to see all the books, including the ones you can't access. However, the home screen displays only the good books. **Steps To Reproduce** Steps to reproduce the behavior: 1. Giving restricted rights to a book 2. Login with a user with restricted rights 3. Click on "Shelves" from any page or add /shelves to the site url. 4. Switch to list view **Expected behavior** Only authorized books should be visible whatever the view. **Your Configuration (please complete the following information):** - Exact BookStack Version (Found in settings): 0.29.2 - Hosting Method (Nginx/Apache/Docker): Docker - LinuxServer
OVERLORD added the 🐛 Bug🚀 Priority🔒 Security🏭 Back-End labels 2026-02-05 01:43:08 +03:00
Author
Owner

@ssddanbrown commented on GitHub (May 13, 2020):

Thank you very much @Usinouv for reporting this security issue and apologies such a vulnerability existed.

I have just released v0.29.3 to cover this:
https://github.com/BookStackApp/BookStack/releases/tag/v0.29.3

And have published a security advisory here:
https://github.com/BookStackApp/BookStack/security/advisories/GHSA-c32x-84w6-5mxq

@ssddanbrown commented on GitHub (May 13, 2020): Thank you very much @Usinouv for reporting this security issue and apologies such a vulnerability existed. I have just released v0.29.3 to cover this: https://github.com/BookStackApp/BookStack/releases/tag/v0.29.3 And have published a security advisory here: https://github.com/BookStackApp/BookStack/security/advisories/GHSA-c32x-84w6-5mxq
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/BookStack#1725