Custom Homepage + Guest Access may cause Information Security Issue #480

New Issue

OVERLORD · 2026-02-04T20:22:52+03:00

OVERLORD commented

2026-02-04 20:22:52 +03:00

Originally created by @sadume on GitHub (Oct 19, 2017).

For Bug Reports

BookStack Version (Found in settings, Please don't put 'latest'): 0.18 I think
PHP Version: sorry not sure
MySQL Version: sorry not sure

Current Behavior

When enabling guest access guest shouldn't have access to homepage because I removed it permissions from everything and gave it access to just one specific page

but when browsing as a guest I can view the custom homepage (which has private info on it which is why I don't want it to show)

when disabling the custom homepage, it is fine because the normal homepage just displays which only displays links to things that the guest user has access to

it seems custom homepage uses permissions of the normal homepage which is like: everyone
custom homepage is not applying the permissions from the page it is using

Expected Behavior

so to fix guest should get an error when browsing to root(assuming they don't have access), or get a specific guest page, or be redirected to the normal homepage

Thanks

Originally created by @sadume on GitHub (Oct 19, 2017). ### For Bug Reports * BookStack Version *(Found in settings, Please don't put 'latest')*: 0.18 I think * PHP Version: sorry not sure * MySQL Version: sorry not sure ##### Current Behavior When enabling guest access guest shouldn't have access to homepage because I removed it permissions from everything and gave it access to just one specific page but when browsing as a guest I can view the custom homepage (which has private info on it which is why I don't want it to show) when disabling the custom homepage, it is fine because the normal homepage just displays which only displays links to things that the guest user has access to it seems custom homepage uses permissions of the normal homepage which is like: everyone custom homepage is not applying the permissions from the page it is using ##### Expected Behavior so to fix guest should get an error when browsing to root(assuming they don't have access), or get a specific guest page, or be redirected to the normal homepage Thanks

OVERLORD closed this issue

2026-02-04 20:23:00 +03:00

OVERLORD commented

2026-02-04 20:23:04 +03:00

@ssddanbrown commented on GitHub (May 26, 2021):

Since noone else has reported this as a problem in the last 3/4 years I'm going to close this off. The text next to the setting options confirms that permissions are ignored so I don't see this an unexpected result.

Really, this would be addressed by an existing request such as #1152.

@ssddanbrown commented on GitHub (May 26, 2021): Since noone else has reported this as a problem in the last 3/4 years I'm going to close this off. The text next to the setting options confirms that permissions are ignored so I don't see this an unexpected result. Really, this would be addressed by an existing request such as #1152.

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#480