starred/BookStack
1
0
Fork 0
mirror of https://github.com/BookStackApp/BookStack.git synced 2026-02-06 09:09:38 +03:00
Code Issues 784 Packages Projects Releases 10 Wiki Activity

Users can edit and rename shelves #5160

New Issue
Closed
opened 2026-02-05 09:45:10 +03:00 by OVERLORD · 5 comments
OVERLORD commented 2026-02-05 09:45:10 +03:00
Owner
Copy Link

Originally created by @Salla205 on GitHub (Jan 31, 2025).

Describe the Bug

The Asset Permissions set under Settings → Roles do not automatically apply to added shelves. A shelf will only become visible to users and its functions will be activated once one of the options "View," "Create," "Update," or "Delete" is selected. The specific permissions assigned to a shelf override the general role settings and can render them ineffective.

Here are a few images for better understanding.

Image

Image

Image

Background on Company Usage
We plan to introduce BookStack company-wide and provide each department with its own shelf. Additionally, the IT department will provide shelves containing central documentation.

Department Shelves: Visible only to the respective department and admins – not to other departments.
Permissions in Department Shelves: Users can create books but cannot edit the shelf itself. Within their own department, users are allowed to delete books, chapters, and pages.
IT Department Shelves: Documentation with view-only permissions must not be copied.

Additionally, only shelves should be displayed, and users should not be able to create books via "Book", as these are only visible to themselves.

Image

Steps to Reproduce

Go to Settings → Roles and create a new role.
Assign Asset Permissions as shown in the image above. No System Permissions are selected.

Now, add this role to a shelf under Shelves → Add Role, but do not check "View," "Create," "Update," or "Delete." The shelf will not be visible to the user.

  • The shelf only becomes visible when "View" is selected.
  • The "Create" option has no effect.
  • "Update" allows users to create books but also edit shelves—which should not be possible.
  • "Delete" enables users to delete shelves, even though this permission is not explicitly selected.

Expected Behaviour

Either the "Create" permission must be enabled to allow book creation, or the specific shelf permissions should not override the Asset Permissions.

Additionally, there should be a button to hide Books in the top navigation bar and display only Shelves, since users should not create their own books. This option should only be available to Admins or IT users.

Screenshots or Additional Context

No response

Browser Details

No response

Exact BookStack Version

BookStack v24.10

Originally created by @Salla205 on GitHub (Jan 31, 2025). ### Describe the Bug The Asset Permissions set under Settings → Roles do not automatically apply to added shelves. A shelf will only become visible to users and its functions will be activated once one of the options "View," "Create," "Update," or "Delete" is selected. The specific permissions assigned to a shelf override the general role settings and can render them ineffective. Here are a few images for better understanding. ![Image](https://github.com/user-attachments/assets/bc8f35e1-e6e5-4b58-9abc-f4d0fb05bc13) ![Image](https://github.com/user-attachments/assets/678749cf-efd4-481c-adf8-efe29192d4c9) ![Image](https://github.com/user-attachments/assets/1d93e9ba-b6d5-4c7f-a0bc-e1a36bc75405) Background on Company Usage We plan to introduce BookStack company-wide and provide each department with its own shelf. Additionally, the IT department will provide shelves containing central documentation. Department Shelves: Visible only to the respective department and admins – not to other departments. Permissions in Department Shelves: Users can create books but cannot edit the shelf itself. Within their own department, users are allowed to delete books, chapters, and pages. IT Department Shelves: Documentation with view-only permissions must not be copied. Additionally, only shelves should be displayed, and users should not be able to create books via "Book", as these are only visible to themselves. ![Image](https://github.com/user-attachments/assets/65730b23-bf71-4904-bc5b-67f01c3177b2) ### Steps to Reproduce Go to Settings → Roles and create a new role. Assign Asset Permissions as shown in the image above. No System Permissions are selected. Now, add this role to a shelf under Shelves → Add Role, but do not check "View," "Create," "Update," or "Delete." The shelf will not be visible to the user. - The shelf only becomes visible when "View" is selected. - The "Create" option has no effect. - "Update" allows users to create books but also edit shelves—which should not be possible. - "Delete" enables users to delete shelves, even though this permission is not explicitly selected. ### Expected Behaviour Either the "Create" permission must be enabled to allow book creation, or the specific shelf permissions should not override the Asset Permissions. Additionally, there should be a button to hide Books in the top navigation bar and display only Shelves, since users should not create their own books. This option should only be available to Admins or IT users. ### Screenshots or Additional Context _No response_ ### Browser Details _No response_ ### Exact BookStack Version BookStack v24.10
OVERLORD commented 2026-02-05 09:45:13 +03:00
Author
Owner
Copy Link

@ssddanbrown commented on GitHub (Jan 31, 2025):

Hi @Salla205,
I'm not really sure I see a bug here.

Quoting the reproduction steps:

The shelf only becomes visible when "View" is selected.

I don't have full visibility of the permissions at play via the screenshots provided, but this is expected. Users will need some form of view permission to see items. Lack of view via overrides will take precedence.

The "Create" option has no effect.

Yes, they are only used for copying as mentioned in the permissions page, denoted by the *.

"Update" allows users to create books but also edit shelves—which should not be possible.

Update affects the ability to update the shelf in any way. The details and contents (assigned books) are both considered part of the shelf.

"Delete" enables users to delete shelves, even though this permission is not explicitly selected.

I don't know what is meant by that tbh.

Shelves are only really meant to be a high-level-categorization option around books. Books do not belong to them, but are on them. Where permissions are managed, keeping things at book level is generally much simpler and easier in regards to permission management.

@ssddanbrown commented on GitHub (Jan 31, 2025): Hi @Salla205, I'm not really sure I see a bug here. Quoting the reproduction steps: > The shelf only becomes visible when "View" is selected. I don't have full visibility of the permissions at play via the screenshots provided, but this is expected. Users will need some form of view permission to see items. Lack of view via overrides will take precedence. > The "Create" option has no effect. Yes, they are only used for copying as mentioned in the permissions page, denoted by the `*`. > "Update" allows users to create books but also edit shelves—which should not be possible. Update affects the ability to update the shelf in any way. The details and contents (assigned books) are both considered part of the shelf. > "Delete" enables users to delete shelves, even though this permission is not explicitly selected. I don't know what is meant by that tbh. --- Shelves are only really meant to be a high-level-categorization option around books. Books do not belong to them, but are on them. Where permissions are managed, keeping things at book level is generally much simpler and easier in regards to permission management.
OVERLORD commented 2026-02-05 09:45:15 +03:00
Author
Owner
Copy Link

@Salla205 commented on GitHub (Feb 3, 2025):

I try to explain it.

My idea was to create a shelf for each department in our company. On this shelf, employees of the respective department can create, update, and delete books, and the same applies to chapters and pages in the books. However, the shelf itself should not be editable. For each department, I will create a role that includes only "Asset Permissions" (see first screenshot) and no "System Permissions." I will then assign this role to the respective shelf.

The additional permissions "View," "Create *," "Update," and "Delete" on the shelf confused me. Without making a selection, nothing happens. However, when one of these additional permissions is selected, the "Asset Permissions" of the role are ignored.

I then tried it at the book level. The shelf level represented a higher-level area, and each department was assigned at the book level. Again, I added the role (only "Asset Permissions" and no "System Permissions"). At this level, chapters and pages could be created, but not deleted. It was only after I added the "Delete" permission at the book level that chapters and pages could be deleted – but also the book itself.

@Salla205 commented on GitHub (Feb 3, 2025): I try to explain it. My idea was to create a shelf for each department in our company. On this shelf, employees of the respective department can create, update, and delete books, and the same applies to chapters and pages in the books. However, the shelf itself should not be editable. For each department, I will create a role that includes only "Asset Permissions" (see first screenshot) and no "System Permissions." I will then assign this role to the respective shelf. The additional permissions "View," "Create *," "Update," and "Delete" on the shelf confused me. Without making a selection, nothing happens. However, when one of these additional permissions is selected, the "Asset Permissions" of the role are ignored. I then tried it at the book level. The shelf level represented a higher-level area, and each department was assigned at the book level. Again, I added the role (only "Asset Permissions" and no "System Permissions"). At this level, chapters and pages could be created, but not deleted. It was only after I added the "Delete" permission at the book level that chapters and pages could be deleted – but also the book itself.
OVERLORD commented 2026-02-05 09:45:16 +03:00
Author
Owner
Copy Link

@ssddanbrown commented on GitHub (Feb 25, 2025):

Yeah, that's all expected to be honest.
I appreciate the permission can be a little course for some scenarios though, but we do have to strike a balance between maintenance/supported complexity and flexibility.

@ssddanbrown commented on GitHub (Feb 25, 2025): Yeah, that's all expected to be honest. I appreciate the permission can be a little course for some scenarios though, but we do have to strike a balance between maintenance/supported complexity and flexibility.
OVERLORD commented 2026-02-05 09:45:19 +03:00
Author
Owner
Copy Link

@steven-loscheider commented on GitHub (Feb 26, 2025):

I am curious about this because we would want to use Bookstack in the same manner. Meaning we have different departments that we want to assign to a specific shelf (or book idk) so they can only(!) see and work in their own area. Meaning Finance for example cannot view and edit Books/shelves etc from the IT department. How do I do this?

@steven-loscheider commented on GitHub (Feb 26, 2025): I am curious about this because we would want to use Bookstack in the same manner. Meaning we have different departments that we want to assign to a specific shelf (or book idk) so they can only(!) see and work in their own area. Meaning Finance for example cannot view and edit Books/shelves etc from the IT department. How do I do this?
OVERLORD commented 2026-02-05 09:45:21 +03:00
Author
Owner
Copy Link

@ssddanbrown commented on GitHub (Mar 13, 2025):

I'm going to go ahead and close off this issue and I don't see much to action here.

@steven-loscheider The approach I'd advise would be:

  • Keep at the book level by default.
  • On the book, assign view/create/edit to the desired roles.
  • At the role-level permissions, provide delete-own permissions so users can delete their own content where needed.
@ssddanbrown commented on GitHub (Mar 13, 2025): I'm going to go ahead and close off this issue and I don't see much to action here. --- @steven-loscheider The approach I'd advise would be: - Keep at the book level by default. - On the book, assign view/create/edit to the desired roles. - At the role-level permissions, provide delete-own permissions so users can delete their own content where needed.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
🎨 Design
📖 Docs Update
🐛 Bug
🐛 Bug
:cat2:🐈 Possible duplicate
💿 Database
Open to discussion
💻 Front-End
🐕 Support
🚪 Authentication
🌍 Translations
🔌 API Task
🏭 Back-End
Upstream
🔨 Feature Request
🛠️ Enhancement
🛠️ Enhancement
🛠️ Enhancement
❤️ Happy feedback
🔒 Security
🔍 Pending Validation
💆 UX
📝 WYSIWYG Editor
🌔 Out of scope
🔩 API Request
:octocat: Admin/Meta
🖌️ View Customization
Question
🚀 Priority
🛡️ Blocked
🚚 Export System
A11y
🔧 Maintenance
> Markdown Editor
pull-request
Mirrored from GitHub Pull Request
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/BookStack#5160
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?