/user/{id} shouldn't be sequential #2065

New Issue

Closed

opened 2026-02-05 02:47:17 +03:00 by OVERLORD · 4 comments

OVERLORD commented 2026-02-05 02:47:17 +03:00

Owner

Copy Link

Originally created by @maggie44 on GitHub (Feb 1, 2021).

Describe the bug
Whenever a user is created they are assigned a UID of last UID +1. I.e, Admin user is user 1, the next user created is 2, the next 3 and so on and so forth.

This means that you can query the database and build an entire replica of every user (including profile pictures) by simply visiting url.com/bookstack/user/1, url.com/bookstack/user/2 and so forth. There isn't any email addresses or login details exposed, but I would suggest this isn't particularly good practice exposing so much data in this way.

Expected behavior
Each user should be provided a non-sequential UID, a random generated number of reasonable length.

Originally created by @maggie44 on GitHub (Feb 1, 2021). **Describe the bug** Whenever a user is created they are assigned a UID of `last UID +1`. I.e, Admin user is user 1, the next user created is 2, the next 3 and so on and so forth. This means that you can query the database and build an entire replica of every user (including profile pictures) by simply visiting url.com/bookstack/user/1, url.com/bookstack/user/2 and so forth. There isn't any email addresses or login details exposed, but I would suggest this isn't particularly good practice exposing so much data in this way. **Expected behavior** Each user should be provided a non-sequential UID, a random generated number of reasonable length.

OVERLORD added the 🛠️ Enhancement🔒 Security labels 2026-02-05 02:47:17 +03:00

OVERLORD closed this issue 2026-02-05 02:47:18 +03:00

OVERLORD commented 2026-02-05 02:47:23 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Feb 2, 2021):

Thanks for raising @maggie0002,

I agree, I can see that potentially being a probably in non-private instances. Will mark for next feature release.

@ssddanbrown commented on GitHub (Feb 2, 2021): Thanks for raising @maggie0002, I agree, I can see that potentially being a probably in non-private instances. Will mark for next feature release.

OVERLORD commented 2026-02-05 02:47:28 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Feb 4, 2021):

Extra thought: This would also apply to search filters.

@ssddanbrown commented on GitHub (Feb 4, 2021): Extra thought: This would also apply to search filters.

OVERLORD commented 2026-02-05 02:47:32 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Mar 11, 2021):

Now added into master to be part of the next feature release.

I've used a unique slug version of the user's name, since that keeps it non-sequential, contextual and uses information that will be known when clicking through on that link (Does not expose anything new).

It does mean that link could possibly break old references on user name change but I imagine it's relatively uncommon that a BookStack profile will be linked to in an important manner.

Thanks again for raising @maggie0002

@ssddanbrown commented on GitHub (Mar 11, 2021): Now added into master to be part of the next feature release. I've used a unique slug version of the user's name, since that keeps it non-sequential, contextual and uses information that will be known when clicking through on that link (Does not expose anything new). It does mean that link could possibly break old references on user name change but I imagine it's relatively uncommon that a BookStack profile will be linked to in an important manner. Thanks again for raising @maggie0002

OVERLORD commented 2026-02-05 02:47:37 +03:00

Author

Owner

Copy Link

@kirillnad commented on GitHub (Mar 20, 2021):

The same with pages nums!
It would be greate each page has a long random number.
Then, it would be possible share page by it's link without permission issues

@kirillnad commented on GitHub (Mar 20, 2021): The same with pages nums! It would be greate each page has a long random number. Then, it would be possible share page by it's link without permission issues

OVERLORD referenced this issue 2026-02-05 04:34:09 +03:00

[Feature Request]: sort pages on article update #2585

OVERLORD referenced this issue 2026-02-05 06:47:20 +03:00

Auto sort pages and chapters #3460

OVERLORD referenced this issue 2026-02-05 10:33:54 +03:00

[PR #5457] [MERGED] Sort rules #6497

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

development

l10n_development

release

llm_only

vectors

v25-11

docker_env

drawio_rendering

user_permissions

ldap_host_failover

svg_image

prosemirror

captcha_example

fix/video-export

v25.12.3

v25.12.2

v25.12.1

v25.12

v25.11.6

v25.11.5

v25.11.4

v24.11.4

v25.11.3

v25.11.2

v25.11.1

v25.11

v25.07.3

v25.07.2

v25.07.1

v25.07

v25.05.2

v25.05.1

v25.05

v25.02.5

v25.02.4

v25.02.3

v25.02.2

v25.02.1

v25.02

v24.12.1

v24.12

v24.10.3

v24.10.2

v24.10.1

v24.10

v24.05.4

v24.05.3

v24.05.2

v24.05.1

v24.05

v24.02.3

v24.02.2

v24.02.1

v24.02

v23.12.3

v23.12.2

v23.12.1

v23.12

v23.10.4

v23.10.3

v23.10.2

v23.10.1

v23.10

v23.08.3

v23.08.2

v23.08.1

v23.08

v23.06.2

v23.06.1

v23.06

v23.05.2

v23.05.1

v23.05

v23.02.3

v23.02.2

v23.02.1

v23.02

v23.01.1

v23.01

v22.11.1

v22.11

v22.10.2

v22.10.1

v22.10

v22.09.1

v22.09

v22.07.3

v22.07.2

v22.07.1

v22.07

v22.06.2

v22.06.1

v22.06

v22.04.2

v22.04.1

v22.04

v22.03.1

v22.03

v22.02.3

v22.02.2

v22.02.1

v22.02

v21.12.5

v21.12.4

v21.12.3

v21.12.2

v21.12.1

v21.12

v21.11.3

v21.11.2

v21.11.1

v21.11

v21.10.3

v21.10.2

v21.10.1

v21.10

v21.08.6

v21.08.5

v21.08.4

v21.08.3

v21.08.2

v21.08.1

v21.08

v21.05.4

v21.05.3

v21.05.2

v21.05.1

v21.05

v21.04.6

v21.04.5

v21.04.4

v21.04.3

v21.04.2

v21.04.1

v21.04

v0.31.8

v0.31.7

v0.31.6

v0.31.5

v0.31.4

v0.31.3

v0.31.2

v0.31.1

v0.31.0

v0.30.7

v0.30.6

v0.30.5

v0.30.4

v0.30.3

v0.30.2

v0.30.1

v0.30.0

v0.29.3

v0.29.2

v0.29.1

v0.29.0

v0.28.3

v0.28.2

v0.28.1

v0.28.0

v0.27.5

v0.27.4

v0.27.3

v0.27.2

v0.27.1

v0.27

v0.26.4

v0.26.3

v0.26.2

v0.26.1

v0.26.0

v0.25.5

v0.25.4

v0.25.3

v0.25.2

v0.25.1

v0.25.0

v0.24.3

v0.24.2

v0.24.1

v0.24.0

v0.23.2

v0.23.1

v0.23.0

v0.22.0

v0.21.0

v0.20.3

v0.20.2

v0.20.1

v0.20.0

v0.19.0

v0.18.5

v0.18.4

v0.18.3

v0.18.2

v0.18.1

v0.18.0

v0.17.4

v0.17.3

v0.17.2

v0.17.1

v0.17.0

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.13.1

v0.13.0

v0.12.2

v0.12.1

v0.12.0

v0.11.2

v0.11.1

v0.11.0

v0.10.0

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.2

v0.8.1

v0.8.0

v0.7.6

v0.7.5

v0.7.4

v0.7.3

0.7.2

v.0.7.1

v0.7.0

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.0

Labels

Clear labels

🎨 Design

📖 Docs Update

🐛 Bug

🐛 Bug

:cat2:🐈 Possible duplicate

💿 Database

☕ Open to discussion

💻 Front-End

🐕 Support

🚪 Authentication

🌍 Translations

🔌 API Task

🏭 Back-End

⛲ Upstream

🔨 Feature Request

🛠️ Enhancement

🛠️ Enhancement

🛠️ Enhancement

❤️ Happy feedback

🔒 Security

🔍 Pending Validation

💆 UX

📝 WYSIWYG Editor

🌔 Out of scope

🔩 API Request

:octocat: Admin/Meta

🖌️ View Customization

❓ Question

🚀 Priority

🛡️ Blocked

🚚 Export System

♿ A11y

🔧 Maintenance

> Markdown Editor

pull-request

Mirrored from GitHub Pull Request

No Label 🛠️ Enhancement 🔒 Security

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#2065