starred/BookStack
1
0
Fork 0
mirror of https://github.com/BookStackApp/BookStack.git synced 2026-02-08 19:06:06 +03:00
Code Issues 784 Packages Projects Releases 10 Wiki Activity

Guest users can view recently updated books (and open them) despite having no rights #3303

New Issue
Closed
opened 2026-02-05 06:18:11 +03:00 by OVERLORD · 2 comments
OVERLORD commented 2026-02-05 06:18:11 +03:00
Owner
Copy Link

Originally created by @Cidwill on GitHub (Oct 24, 2022).

Describe the Bug

We have LDAP auth on a particular AD group. Any user in this group can log into our bookstack via ldap. If they don't have an account configured they're dropped into guest role. The guest role has no rights to view any shelves or books.

All of our books are assigned to shelves and users create books exclusively within those shelves to ensure they get the correct permissions (with a cron job applying permissions to book that are assigned to each shelf).

I was testing today (using both 21.12 and 22.10) and noticed that even though guest accounts cannot see books or shelves, they can see and open pages listed in the side panel titled Recently Updated Pages.

Is there any way to turn off this panel or disable the guest role from viewing it? According to the Role Details page they have no rights of any sort.

Steps to Reproduce

  1. Remove all permissions from Guest role
  2. Assign all current books to a shelf and copy permissions (exclude guest from shelf rights)
  3. Log in as guest role user. Click top of page banner (Which takes to shelves page)
  4. View Recently Updated Pages in sidebar
  5. Click on any book to open and read

Expected Behaviour

The role has no rights to view any books. The books and shelves section of the interface are 100% empty for them. They should not be able to view recently updated pages or open them.

Screenshots or Additional Context

No response

Browser Details

Firefox and Edge, win10

Exact BookStack Version

21.12 and 22.10

PHP Version

No response

Hosting Environment

Ubuntu 20.04

Originally created by @Cidwill on GitHub (Oct 24, 2022). ### Describe the Bug We have LDAP auth on a particular AD group. Any user in this group can log into our bookstack via ldap. If they don't have an account configured they're dropped into guest role. The guest role has no rights to view any shelves or books. All of our books are assigned to shelves and users create books exclusively within those shelves to ensure they get the correct permissions (with a cron job applying permissions to book that are assigned to each shelf). I was testing today (using both 21.12 and 22.10) and noticed that even though guest accounts cannot see books or shelves, they can see and open pages listed in the side panel titled Recently Updated Pages. Is there any way to turn off this panel or disable the guest role from viewing it? According to the Role Details page they have no rights of any sort. ### Steps to Reproduce 1. Remove all permissions from Guest role 2. Assign all current books to a shelf and copy permissions (exclude guest from shelf rights) 3. Log in as guest role user. Click top of page banner (Which takes to shelves page) 4. View Recently Updated Pages in sidebar 5. Click on any book to open and read ### Expected Behaviour The role has no rights to view any books. The books and shelves section of the interface are 100% empty for them. They should not be able to view recently updated pages or open them. ### Screenshots or Additional Context _No response_ ### Browser Details Firefox and Edge, win10 ### Exact BookStack Version 21.12 and 22.10 ### PHP Version _No response_ ### Hosting Environment Ubuntu 20.04
OVERLORD added the 🐛 Bug label 2026-02-05 06:18:11 +03:00
OVERLORD commented 2026-02-05 06:18:17 +03:00
Author
Owner
Copy Link

@Cidwill commented on GitHub (Oct 24, 2022):

Hi, Please ignore this. One of our users was making custom page permissions and giving view access to all user roles... sigh

@Cidwill commented on GitHub (Oct 24, 2022): Hi, Please ignore this. One of our users was making custom page permissions and giving view access to all user roles... *sigh*
OVERLORD commented 2026-02-05 06:18:21 +03:00
Author
Owner
Copy Link

@Cidwill commented on GitHub (Oct 24, 2022):

Hi, Please ignore this. One of our users was making custom page permissions and giving view access to all user roles... sigh

@Cidwill commented on GitHub (Oct 24, 2022): Hi, Please ignore this. One of our users was making custom page permissions and giving view access to all user roles... *sigh*
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
🎨 Design
📖 Docs Update
🐛 Bug
🐛 Bug
:cat2:🐈 Possible duplicate
💿 Database
Open to discussion
💻 Front-End
🐕 Support
🚪 Authentication
🌍 Translations
🔌 API Task
🏭 Back-End
Upstream
🔨 Feature Request
🛠️ Enhancement
🛠️ Enhancement
🛠️ Enhancement
❤️ Happy feedback
🔒 Security
🔍 Pending Validation
💆 UX
📝 WYSIWYG Editor
🌔 Out of scope
🔩 API Request
:octocat: Admin/Meta
🖌️ View Customization
Question
🚀 Priority
🛡️ Blocked
🚚 Export System
A11y
🔧 Maintenance
> Markdown Editor
pull-request
Mirrored from GitHub Pull Request
No Label 🐛 Bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/BookStack#3303
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?