Creating a book with chapters from user1 (administrator) show up on user2 recently viewed on the home page #2214

New Issue

Closed

opened 2026-02-05 03:20:12 +03:00 by OVERLORD · 3 comments

OVERLORD commented 2026-02-05 03:20:12 +03:00

Owner

Copy Link

Originally created by @Mynster9361 on GitHub (Apr 22, 2021).

Describe the bug
Creating a book with chapters from user1 (administrator) show up on user2 recently viewed on the home page.
The user2 that did not create it and does not have access to that page is able to use the shortcut from recently viewed and then see the content of that chapter and pages within that chapter and also edit them as long as there is not setup any custom permissions.
You are able to go to the chapter but from there you are not able to access the book (You get an error if you try and alter the url directly to the book)

Steps To Reproduce
Steps to reproduce the behavior:

1. login with user1
2. Go to 'your homepage'
3. Click on 'create new book'
4. Click on 'create new chapter'
5. Click on 'create new page'
6. login to "user2 that has limited access (I have attached 2 pictures with the permissions the user has)"
7. Go to the home page
8. See recently viewed and there the chapter should be and you are able to access it

Expected behavior
I do not expect to see user1 recently created chapter from user2 recently viewed.
And i do not expect that user2 can access the chapter and pages within that chapter

Screenshots
If applicable, add screenshots to help explain your problem.
Created book with chapter and page from user1

Shortcut in recently viewed on user2 home page

Book permissions

Chapter permissions

User2 group role

Public role access

Your Configuration (please complete the following information):

• Exact BookStack Version (Found in settings): Bookstack v21.04
• PHP Version: PHP 8.0.3
• Hosting Method (Nginx/Apache/Docker): Apache

Additional context
If i set custom permissions on the book user2 is no longer able to access the chapter or the content within the chapters

Originally created by @Mynster9361 on GitHub (Apr 22, 2021). **Describe the bug** Creating a book with chapters from user1 (administrator) show up on user2 recently viewed on the home page. The user2 that did not create it and does not have access to that page is able to use the shortcut from recently viewed and then see the content of that chapter and pages within that chapter and also edit them as long as there is not setup any custom permissions. You are able to go to the chapter but from there you are not able to access the book (You get an error if you try and alter the url directly to the book) **Steps To Reproduce** Steps to reproduce the behavior: 1. login with user1 2. Go to 'your homepage' 2. Click on 'create new book' 3. Click on 'create new chapter' 4. Click on 'create new page' 5. login to "user2 that has limited access (I have attached 2 pictures with the permissions the user has)" 6. Go to the home page 7. See recently viewed and there the chapter should be and you are able to access it **Expected behavior** I do not expect to see user1 recently created chapter from user2 recently viewed. And i do not expect that user2 can access the chapter and pages within that chapter **Screenshots** If applicable, add screenshots to help explain your problem. Created book with chapter and page from user1  Shortcut in recently viewed on user2 home page  Book permissions  Chapter permissions  User2 group role  Public role access  **Your Configuration (please complete the following information):** - Exact BookStack Version (Found in settings): Bookstack v21.04 - PHP Version: PHP 8.0.3 - Hosting Method (Nginx/Apache/Docker): Apache **Additional context** If i set custom permissions on the book user2 is no longer able to access the chapter or the content within the chapters

OVERLORD added the 🐛 Bug🏭 Back-End labels 2026-02-05 03:20:12 +03:00

OVERLORD closed this issue 2026-02-05 03:20:15 +03:00

OVERLORD commented 2026-02-05 03:20:18 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Apr 27, 2021):

Thanks for reporting @Mynster9361, I can confirm this on my instance.

This is, in particular, evident when the secondary user is fresh with little of their own activity. Needs a reworking of the code/scoping within e4660a5ba2/app/Actions/ViewService.php (L98)

Have assigned to be addressed in the next patch release.

Note, with that shown permission setup "User 2" will always have access to any page or chapter by default unless their permissions are specifically over-ridden. They could see them in the recently updated or via search. Just mentioning in case your intentions/thinking was different.

@ssddanbrown commented on GitHub (Apr 27, 2021): Thanks for reporting @Mynster9361, I can confirm this on my instance. This is, in particular, evident when the secondary user is fresh with little of their own activity. Needs a reworking of the code/scoping within https://github.com/BookStackApp/BookStack/blob/e4660a5ba26231b70d2c974de46111a1924bb34c/app/Actions/ViewService.php#L98 Have assigned to be addressed in the next patch release. Note, with that shown permission setup "User 2" will always have access to any page or chapter by default unless their permissions are specifically over-ridden. They could see them in the recently updated or via search. Just mentioning in case your intentions/thinking was different.

OVERLORD commented 2026-02-05 03:20:23 +03:00

Author

Owner

Copy Link

@Mynster9361 commented on GitHub (Apr 27, 2021):

I did not even realize that.
Thanks a lot :)
Sounds good with the update aswell :)

@Mynster9361 commented on GitHub (Apr 27, 2021): I did not even realize that. Thanks a lot :) Sounds good with the update aswell :)

OVERLORD commented 2026-02-05 03:20:26 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Apr 28, 2021):

Patch applied and released in: https://github.com/BookStackApp/BookStack/releases/tag/v21.04.3

Let me know if the issue still persists but that should do it, I did add a test to cover this scenario to help prevent regression.

@ssddanbrown commented on GitHub (Apr 28, 2021): Patch applied and released in: https://github.com/BookStackApp/BookStack/releases/tag/v21.04.3 Let me know if the issue still persists but that should do it, I did add a test to cover this scenario to help prevent regression.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

development

l10n_development

further_theme_development

release

llm_only

vectors

v25-11

docker_env

drawio_rendering

user_permissions

ldap_host_failover

svg_image

prosemirror

captcha_example

fix/video-export

v25.12.3

v25.12.2

v25.12.1

v25.12

v25.11.6

v25.11.5

v25.11.4

v24.11.4

v25.11.3

v25.11.2

v25.11.1

v25.11

v25.07.3

v25.07.2

v25.07.1

v25.07

v25.05.2

v25.05.1

v25.05

v25.02.5

v25.02.4

v25.02.3

v25.02.2

v25.02.1

v25.02

v24.12.1

v24.12

v24.10.3

v24.10.2

v24.10.1

v24.10

v24.05.4

v24.05.3

v24.05.2

v24.05.1

v24.05

v24.02.3

v24.02.2

v24.02.1

v24.02

v23.12.3

v23.12.2

v23.12.1

v23.12

v23.10.4

v23.10.3

v23.10.2

v23.10.1

v23.10

v23.08.3

v23.08.2

v23.08.1

v23.08

v23.06.2

v23.06.1

v23.06

v23.05.2

v23.05.1

v23.05

v23.02.3

v23.02.2

v23.02.1

v23.02

v23.01.1

v23.01

v22.11.1

v22.11

v22.10.2

v22.10.1

v22.10

v22.09.1

v22.09

v22.07.3

v22.07.2

v22.07.1

v22.07

v22.06.2

v22.06.1

v22.06

v22.04.2

v22.04.1

v22.04

v22.03.1

v22.03

v22.02.3

v22.02.2

v22.02.1

v22.02

v21.12.5

v21.12.4

v21.12.3

v21.12.2

v21.12.1

v21.12

v21.11.3

v21.11.2

v21.11.1

v21.11

v21.10.3

v21.10.2

v21.10.1

v21.10

v21.08.6

v21.08.5

v21.08.4

v21.08.3

v21.08.2

v21.08.1

v21.08

v21.05.4

v21.05.3

v21.05.2

v21.05.1

v21.05

v21.04.6

v21.04.5

v21.04.4

v21.04.3

v21.04.2

v21.04.1

v21.04

v0.31.8

v0.31.7

v0.31.6

v0.31.5

v0.31.4

v0.31.3

v0.31.2

v0.31.1

v0.31.0

v0.30.7

v0.30.6

v0.30.5

v0.30.4

v0.30.3

v0.30.2

v0.30.1

v0.30.0

v0.29.3

v0.29.2

v0.29.1

v0.29.0

v0.28.3

v0.28.2

v0.28.1

v0.28.0

v0.27.5

v0.27.4

v0.27.3

v0.27.2

v0.27.1

v0.27

v0.26.4

v0.26.3

v0.26.2

v0.26.1

v0.26.0

v0.25.5

v0.25.4

v0.25.3

v0.25.2

v0.25.1

v0.25.0

v0.24.3

v0.24.2

v0.24.1

v0.24.0

v0.23.2

v0.23.1

v0.23.0

v0.22.0

v0.21.0

v0.20.3

v0.20.2

v0.20.1

v0.20.0

v0.19.0

v0.18.5

v0.18.4

v0.18.3

v0.18.2

v0.18.1

v0.18.0

v0.17.4

v0.17.3

v0.17.2

v0.17.1

v0.17.0

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.13.1

v0.13.0

v0.12.2

v0.12.1

v0.12.0

v0.11.2

v0.11.1

v0.11.0

v0.10.0

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.2

v0.8.1

v0.8.0

v0.7.6

v0.7.5

v0.7.4

v0.7.3

0.7.2

v.0.7.1

v0.7.0

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.0

Labels

Clear labels

🎨 Design

📖 Docs Update

🐛 Bug

🐛 Bug

:cat2:🐈 Possible duplicate

💿 Database

☕ Open to discussion

💻 Front-End

🐕 Support

🚪 Authentication

🌍 Translations

🔌 API Task

🏭 Back-End

⛲ Upstream

🔨 Feature Request

🛠️ Enhancement

🛠️ Enhancement

🛠️ Enhancement

❤️ Happy feedback

🔒 Security

🔍 Pending Validation

💆 UX

📝 WYSIWYG Editor

🌔 Out of scope

🔩 API Request

:octocat: Admin/Meta

🖌️ View Customization

❓ Question

🚀 Priority

🛡️ Blocked

🚚 Export System

♿ A11y

🔧 Maintenance

> Markdown Editor

No Label 🐛 Bug 🏭 Back-End

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#2214