Implement an advisory notice on the shelf permissions page regarding the lack of cascade #2351

New Issue

OVERLORD · 2026-02-05T03:45:54+03:00

OVERLORD commented

2026-02-05 03:45:54 +03:00

Originally created by @tyler351 on GitHub (Aug 7, 2021).

When applying custom permissions to a shelf, using the "copy to books" options works for any existing books in that shelf but those same permissions don't seem to get applied to new books create within that shelf from then on unless you go back and use the button again.

Is this the intended result?

I'm on the latest installation (used the Ubuntu 20.04 script) not 100% on version number but will double check.

Originally created by @tyler351 on GitHub (Aug 7, 2021). When applying custom permissions to a shelf, using the "copy to books" options works for any existing books in that shelf but those same permissions don't seem to get applied to new books create within that shelf from then on unless you go back and use the button again. Is this the intended result? I'm on the latest installation (used the Ubuntu 20.04 script) not 100% on version number but will double check.

OVERLORD added the 🛠️ Enhancement 🔒 Security 🏭 Back-End labels 2026-02-05 03:45:54 +03:00

OVERLORD closed this issue

2026-02-05 03:45:55 +03:00

OVERLORD commented

2026-02-05 03:46:00 +03:00

@tyler351 commented on GitHub (Aug 7, 2021):

After looking at a couple other threads (https://github.com/BookStackApp/BookStack/issues/2144#issuecomment-841674016 specifically) I see that permissions applied to shelves don't cascade automatically. So I guess In that case I'd like to ask is that possible to add? Or a limitation?

@tyler351 commented on GitHub (Aug 7, 2021): After looking at a couple other threads (https://github.com/BookStackApp/BookStack/issues/2144#issuecomment-841674016 specifically) I see that permissions applied to shelves don't cascade automatically. So I guess In that case I'd like to ask is that possible to add? Or a limitation?

OVERLORD commented

2026-02-05 03:46:02 +03:00

@Thorood commented on GitHub (Aug 20, 2021):

I'd like to comment on @tyler351.
This would be a really nice addition and also resolve a big security loophole.

@Thorood commented on GitHub (Aug 20, 2021): I'd like to comment on @tyler351. This would be a really nice addition and also resolve a big security loophole.

OVERLORD commented

2026-02-05 03:46:05 +03:00

@ssddanbrown commented on GitHub (Aug 22, 2021):

The lack of cascading permissions is due to the more complex shelf to book relationship, since books can be on multiple shelves. I have not been able to think of an auto-cascade option that wouldn't end up more confusing, or have more side-affects.

@ssddanbrown commented on GitHub (Aug 22, 2021): The lack of cascading permissions is due to the more complex shelf to book relationship, since books can be on multiple shelves. I have not been able to think of an auto-cascade option that wouldn't end up more confusing, or have more side-affects.

OVERLORD commented

2026-02-05 03:46:10 +03:00

@tyler351 commented on GitHub (Aug 22, 2021):

@ssddanbrown
Ooohhhh gotcha. Yeah. That could get interesting haha. Makes total sense and understand the complexity now. Lol

@tyler351 commented on GitHub (Aug 22, 2021): @ssddanbrown Ooohhhh gotcha. Yeah. That could get interesting haha. Makes total sense and understand the complexity now. Lol

OVERLORD commented

2026-02-05 03:46:12 +03:00

@Thorood commented on GitHub (Aug 23, 2021):

A way to do this simply could be :
When a book is created -> cascade permissions from it's current shelf (at this moment the book have 0 or 1 shelf).
When addind the book to a shelf -> if the permissions are different then add a warning and either blook the addition of take the least permissive permission (but that can be a bit hard to define so the first option can be easier to implement).

@Thorood commented on GitHub (Aug 23, 2021): A way to do this simply could be : When a book is created -> cascade permissions from it's current shelf (at this moment the book have 0 or 1 shelf). When addind the book to a shelf -> if the permissions are different then add a warning and either blook the addition of take the least permissive permission (but that can be a bit hard to define so the first option can be easier to implement).

OVERLORD commented

2026-02-05 03:46:15 +03:00

@Thorood commented on GitHub (Aug 23, 2021):

@ssddanbrown I personnaly think that if someone use the permission at a Shelf level (instead of account level) it shows a need of "security" around the data so having a simple message explaining that the book is currently inhériting different permission from an other shelf woud not cause confusion.

What do you think ?

@Thorood commented on GitHub (Aug 23, 2021): @ssddanbrown I personnaly think that if someone use the permission at a Shelf level (instead of account level) it shows a need of "security" around the data so having a simple message explaining that the book is currently inhériting different permission from an other shelf woud not cause confusion. What do you think ?

OVERLORD commented

2026-02-05 03:46:22 +03:00

@Cave-Johnson commented on GitHub (Aug 23, 2021):

Maybe a solution would be to provide a flag to enable this in the admin panel, defaulting to the current configuration.

Have a button to enable inherited permissions with a warning saying this breaks having books on multiple shelves

Would be more overhead to maintain though

@Cave-Johnson commented on GitHub (Aug 23, 2021): Maybe a solution would be to provide a flag to enable this in the admin panel, defaulting to the current configuration. Have a button to enable inherited permissions with a warning saying this breaks having books on multiple shelves Would be more overhead to maintain though

OVERLORD commented

2026-02-05 03:46:30 +03:00

@dani commented on GitHub (Aug 23, 2021):

The current situation is IMHO the most confusing. When I enable public access for some shelves, but restrict others to logged in user, and create a new book in a restricted shelf, I certainly do not expect this new book to be public (this is what happens now, and represent a huge risk). Books being created in a shelf with restricted permissions should inherit those permissions. If I want to include it later in another shelf, I can update the permissions later

@dani commented on GitHub (Aug 23, 2021): The current situation is IMHO the most confusing. When I enable public access for some shelves, but restrict others to logged in user, and create a new book in a restricted shelf, I certainly do not expect this new book to be public (this is what happens now, and represent a huge risk). Books being created in a shelf with restricted permissions should inherit those permissions. If I want to include it later in another shelf, I can update the permissions later

OVERLORD commented

2026-02-05 03:46:36 +03:00

@ssddanbrown commented on GitHub (Aug 23, 2021):

Based on these conversations I think we need to do two things:

Implement an advisory notice on the shelf permissions page regarding the lack of cascade.
As a nice-to-have, have an option to copy permissions on book create via a shelf, which is already open under #1596.

I don't really want to go down the route of adding different, optional, behaviour which would bring its own scenarios and maintenance burdens.

If there's no major reasonable objections I'll update the title of this issue to focus on (1) above.

@ssddanbrown commented on GitHub (Aug 23, 2021): Based on these conversations I think we need to do two things: 1. Implement an advisory notice on the shelf permissions page regarding the lack of cascade. 2. As a nice-to-have, have an option to copy permissions on book create via a shelf, which is already open under #1596. I don't really want to go down the route of adding different, optional, behaviour which would bring its own scenarios and maintenance burdens. If there's no major reasonable objections I'll update the title of this issue to focus on (1) above.

OVERLORD commented

2026-02-05 03:46:41 +03:00

@tyler351 commented on GitHub (Aug 24, 2021):

Sounds pretty dang reasonable to me. As nice as it would be to make that a default thing in some situations, knowing upfront that it doesn't happen and getting the option to apply the permissions when it's created seems like a great place to be.

Thanks for your work @ssddanbrown!

@tyler351 commented on GitHub (Aug 24, 2021): Sounds pretty dang reasonable to me. As nice as it would be to make that a default thing in some situations, knowing upfront that it doesn't happen and getting the option to apply the permissions when it's created seems like a great place to be. Thanks for your work @ssddanbrown!

OVERLORD commented

2026-02-05 03:46:45 +03:00

@ssddanbrown commented on GitHub (Aug 28, 2021):

Notice added, To be part of the next feature release. Thanks all for your input.

@ssddanbrown commented on GitHub (Aug 28, 2021): Notice added, To be part of the next feature release. Thanks all for your input.

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#2351