Prevent editing of account-details #5193

New Issue

Closed

opened 2026-02-05 09:47:29 +03:00 by OVERLORD · 7 comments

OVERLORD commented 2026-02-05 09:47:29 +03:00

Owner

Copy Link

Originally created by @demlak on GitHub (Feb 24, 2025).

Attempted Debugging

• I have read the debugging page

Searched GitHub Issues

• I have searched GitHub for the issue.

Describe the Scenario

Disable editing of account details

Hi.. i use bookstack in a school and since we use OpenID as auth_method, i want to disable editing some settings in the personal profile: changing name, activating 2FA, deleting account and changing avatar.
Similar to https://github.com/BookStackApp/BookStack/issues/3156

Since the only setting that will be left, is language-change, but it is absolutly OK to do without language-change.. so, maybe, we could do without the my-account-page at all.

i don't know, what is the best solution on this..

i see:

• editing server-config to not access /my-account anymore. I don't know, if this will break other things
• custom-CSS for hiding the navigation-entry to get there. This will be kind of security by obscurity
• change page via logical-theme system by replacing code or by hooking into the save-dialog, like in https://github.com/BookStackApp/BookStack/issues/3156, if i understand it correctly
• change php in Bookstack-source-code to not give access at all.. this is obviously a bad idea for updating bookstack

What would be a good / the best Solution?

thx
demlak

Exact BookStack Version

v24.12.1

Log Content

No response

Hosting Environment

Bookstack in an LXC installed via helper-scripts.com on a proxmox.

Originally created by @demlak on GitHub (Feb 24, 2025). ### Attempted Debugging - [x] I have read the debugging page ### Searched GitHub Issues - [x] I have searched GitHub for the issue. ### Describe the Scenario Disable editing of account details Hi.. i use bookstack in a school and since we use OpenID as auth_method, i want to disable editing some settings in the personal profile: changing name, activating 2FA, deleting account and changing avatar. Similar to https://github.com/BookStackApp/BookStack/issues/3156 Since the only setting that will be left, is language-change, but it is absolutly OK to do without language-change.. so, maybe, we could do without the my-account-page at all. i don't know, what is the best solution on this.. i see: - editing server-config to not access `/my-account` anymore. I don't know, if this will break other things - custom-CSS for hiding the navigation-entry to get there. This will be kind of `security by obscurity` - change page via logical-theme system by replacing code or by hooking into the save-dialog, like in https://github.com/BookStackApp/BookStack/issues/3156, if i understand it correctly - change php in Bookstack-source-code to not give access at all.. this is obviously a bad idea for updating bookstack What would be a good / the best Solution? thx demlak ### Exact BookStack Version v24.12.1 ### Log Content _No response_ ### Hosting Environment Bookstack in an LXC installed via helper-scripts.com on a proxmox.

OVERLORD added the 🐕 Support label 2026-02-05 09:47:29 +03:00

OVERLORD closed this issue 2026-02-05 09:47:31 +03:00

OVERLORD commented 2026-02-05 09:47:33 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Feb 25, 2025):

Hi @demlak,

Personally I'd probably go with the webserver approach, since that should be most simple.
Note though, URLs for things could change in the future but no options here are safe to future changes, since this isn't something officially supported.

I don't know, if this will break other things

The only other things I can think of is that shortcut and notification preferences are also on the my-account path.
If you want to allow those, you'd need to get a bit more selective/targeted.
A full list of the routes/methods using my-account can be seen here:
dca14feaaa/routes/web.php (L252-L263)

@ssddanbrown commented on GitHub (Feb 25, 2025): Hi @demlak, Personally I'd probably go with the webserver approach, since that should be most simple. Note though, URLs for things could change in the future but no options here are safe to future changes, since this isn't something officially supported. > I don't know, if this will break other things The only other things I can think of is that shortcut and notification preferences are also on the `my-account` path. If you want to allow those, you'd need to get a bit more selective/targeted. A full list of the routes/methods using `my-account` can be seen here: https://github.com/BookStackApp/BookStack/blob/dca14feaaad686bfbe9acb59f5eb11b815501e5b/routes/web.php#L252-L263

OVERLORD commented 2026-02-05 09:47:35 +03:00

Author

Owner

Copy Link

@demlak commented on GitHub (Feb 25, 2025):

hmm.. i tried several things inside /.htaccess file to redirect /my-account to /.. but i was not successfull.. maybe you can help?

@demlak commented on GitHub (Feb 25, 2025): hmm.. i tried several things inside `/.htaccess` file to redirect `/my-account` to `/`.. but i was not successfull.. maybe you can help?

OVERLORD commented 2026-02-05 09:47:37 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Feb 25, 2025):

@demlak .htaccess files are rarely used and best avoided.

Your apache webserver config for BookStack should be found at /etc/apache2/sites-available/bookstack.conf, Add config/options in there.

@ssddanbrown commented on GitHub (Feb 25, 2025): @demlak `.htaccess` files are rarely used and best avoided. Your apache webserver config for BookStack should be found at `/etc/apache2/sites-available/bookstack.conf`, Add config/options in there.

OVERLORD commented 2026-02-05 09:47:39 +03:00

Author

Owner

Copy Link

@demlak commented on GitHub (Feb 27, 2025):

hey.. thx a lot..
i am a little bit confused, because "my-account" is kind of "virtual".. it is not "physicaly" on the disc..

this is the original conf-file.. any hints on that?

<VirtualHost *:80>
  ServerAdmin webmaster@localhost
  DocumentRoot /opt/bookstack/public/

  <Directory /opt/bookstack/public/>
      Options -Indexes +FollowSymLinks
      AllowOverride None
      Require all granted
      <IfModule mod_rewrite.c>
          <IfModule mod_negotiation.c>
              Options -MultiViews -Indexes
          </IfModule>

          RewriteEngine On
          
          # Handle Authorization Header
          RewriteCond %{HTTP:Authorization} .
          RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

          # Redirect Trailing Slashes If Not A Folder...
          RewriteCond %{REQUEST_FILENAME} !-d
          RewriteCond %{REQUEST_URI} (.+)/$
          RewriteRule ^ %1 [L,R=301]

          # Handle Front Controller...
          RewriteCond %{REQUEST_FILENAME} !-d
          RewriteCond %{REQUEST_FILENAME} !-f
          RewriteRule ^ index.php [L]
      </IfModule>
  </Directory>
  
    ErrorLog /var/log/apache2/error.log
    CustomLog /var/log/apache2/access.log combined

</VirtualHost>

@demlak commented on GitHub (Feb 27, 2025): hey.. thx a lot.. i am a little bit confused, because "my-account" is kind of "virtual".. it is not "physicaly" on the disc.. this is the original conf-file.. any hints on that? ``` <VirtualHost *:80> ServerAdmin webmaster@localhost DocumentRoot /opt/bookstack/public/ <Directory /opt/bookstack/public/> Options -Indexes +FollowSymLinks AllowOverride None Require all granted <IfModule mod_rewrite.c> <IfModule mod_negotiation.c> Options -MultiViews -Indexes </IfModule> RewriteEngine On # Handle Authorization Header RewriteCond %{HTTP:Authorization} . RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}] # Redirect Trailing Slashes If Not A Folder... RewriteCond %{REQUEST_FILENAME} !-d RewriteCond %{REQUEST_URI} (.+)/$ RewriteRule ^ %1 [L,R=301] # Handle Front Controller... RewriteCond %{REQUEST_FILENAME} !-d RewriteCond %{REQUEST_FILENAME} !-f RewriteRule ^ index.php [L] </IfModule> </Directory> ErrorLog /var/log/apache2/error.log CustomLog /var/log/apache2/access.log combined </VirtualHost> ```

OVERLORD commented 2026-02-05 09:47:41 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Mar 1, 2025):

@demlak I have not tested this, but going via the apache documentation I'd try adding something like this above the existing <Directory ...> section:

<Location "/my-account">
   Require all denied
</Location>

Will need to test it though as I'm not exactly sure on the ordering of rules/config-blocks for apache config.

@ssddanbrown commented on GitHub (Mar 1, 2025): @demlak I have not tested this, but going via the apache documentation I'd try adding something like this above the existing `<Directory ...>` section: ```apache2 <Location "/my-account"> Require all denied </Location> ``` Will need to test it though as I'm not exactly sure on the ordering of rules/config-blocks for apache config.

OVERLORD commented 2026-02-05 09:47:42 +03:00

Author

Owner

Copy Link

@demlak commented on GitHub (Mar 1, 2025):

Competent as always =)

Works! Thx a lot

this is a good base.. now i will use the theme-system to hide the profile from user-menu

Edit:
For anyone wanting todo the same thing:

Add and activate a theme like described here https://github.com/BookStackApp/BookStack/blob/development/dev/docs/visual-theme-system.md

The file we want to copy for editing, is resources/views/layouts/parts/header-user-menu.blade.php
Just copy it to your theme-folder like themes/my-theme/layouts/parts/header-user-menu.blade.php and edit it there to delete the coresponding <li>-entry:

        <li>
            <a href="{{ url('/my-account') }}" class="icon-item">
                @icon('user-preferences')
                <div>{{ trans('preferences.my_account') }}</div>
            </a>
        </li>

@demlak commented on GitHub (Mar 1, 2025): Competent as always =) Works! Thx a lot this is a good base.. now i will use the theme-system to hide the profile from user-menu Edit: For anyone wanting todo the same thing: Add and activate a theme like described here [https://github.com/BookStackApp/BookStack/blob/development/dev/docs/visual-theme-system.md](url) The file we want to copy for editing, is `resources/views/layouts/parts/header-user-menu.blade.php` Just copy it to your theme-folder like `themes/my-theme/layouts/parts/header-user-menu.blade.php` and edit it there to delete the coresponding `<li>`-entry: ``` <li> <a href="{{ url('/my-account') }}" class="icon-item"> @icon('user-preferences') <div>{{ trans('preferences.my_account') }}</div> </a> </li> ```

OVERLORD commented 2026-02-05 09:47:43 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Mar 20, 2025):

I'll go ahead and close this off since you found a solution.

@ssddanbrown commented on GitHub (Mar 20, 2025): I'll go ahead and close this off since you found a solution.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

development

further_theme_development

l10n_development

release

llm_only

vectors

v25-11

docker_env

drawio_rendering

user_permissions

ldap_host_failover

svg_image

prosemirror

captcha_example

fix/video-export

v25.12.3

v25.12.2

v25.12.1

v25.12

v25.11.6

v25.11.5

v25.11.4

v24.11.4

v25.11.3

v25.11.2

v25.11.1

v25.11

v25.07.3

v25.07.2

v25.07.1

v25.07

v25.05.2

v25.05.1

v25.05

v25.02.5

v25.02.4

v25.02.3

v25.02.2

v25.02.1

v25.02

v24.12.1

v24.12

v24.10.3

v24.10.2

v24.10.1

v24.10

v24.05.4

v24.05.3

v24.05.2

v24.05.1

v24.05

v24.02.3

v24.02.2

v24.02.1

v24.02

v23.12.3

v23.12.2

v23.12.1

v23.12

v23.10.4

v23.10.3

v23.10.2

v23.10.1

v23.10

v23.08.3

v23.08.2

v23.08.1

v23.08

v23.06.2

v23.06.1

v23.06

v23.05.2

v23.05.1

v23.05

v23.02.3

v23.02.2

v23.02.1

v23.02

v23.01.1

v23.01

v22.11.1

v22.11

v22.10.2

v22.10.1

v22.10

v22.09.1

v22.09

v22.07.3

v22.07.2

v22.07.1

v22.07

v22.06.2

v22.06.1

v22.06

v22.04.2

v22.04.1

v22.04

v22.03.1

v22.03

v22.02.3

v22.02.2

v22.02.1

v22.02

v21.12.5

v21.12.4

v21.12.3

v21.12.2

v21.12.1

v21.12

v21.11.3

v21.11.2

v21.11.1

v21.11

v21.10.3

v21.10.2

v21.10.1

v21.10

v21.08.6

v21.08.5

v21.08.4

v21.08.3

v21.08.2

v21.08.1

v21.08

v21.05.4

v21.05.3

v21.05.2

v21.05.1

v21.05

v21.04.6

v21.04.5

v21.04.4

v21.04.3

v21.04.2

v21.04.1

v21.04

v0.31.8

v0.31.7

v0.31.6

v0.31.5

v0.31.4

v0.31.3

v0.31.2

v0.31.1

v0.31.0

v0.30.7

v0.30.6

v0.30.5

v0.30.4

v0.30.3

v0.30.2

v0.30.1

v0.30.0

v0.29.3

v0.29.2

v0.29.1

v0.29.0

v0.28.3

v0.28.2

v0.28.1

v0.28.0

v0.27.5

v0.27.4

v0.27.3

v0.27.2

v0.27.1

v0.27

v0.26.4

v0.26.3

v0.26.2

v0.26.1

v0.26.0

v0.25.5

v0.25.4

v0.25.3

v0.25.2

v0.25.1

v0.25.0

v0.24.3

v0.24.2

v0.24.1

v0.24.0

v0.23.2

v0.23.1

v0.23.0

v0.22.0

v0.21.0

v0.20.3

v0.20.2

v0.20.1

v0.20.0

v0.19.0

v0.18.5

v0.18.4

v0.18.3

v0.18.2

v0.18.1

v0.18.0

v0.17.4

v0.17.3

v0.17.2

v0.17.1

v0.17.0

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.13.1

v0.13.0

v0.12.2

v0.12.1

v0.12.0

v0.11.2

v0.11.1

v0.11.0

v0.10.0

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.2

v0.8.1

v0.8.0

v0.7.6

v0.7.5

v0.7.4

v0.7.3

0.7.2

v.0.7.1

v0.7.0

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.0

Labels

Clear labels

🎨 Design

📖 Docs Update

🐛 Bug

🐛 Bug

:cat2:🐈 Possible duplicate

💿 Database

☕ Open to discussion

💻 Front-End

🐕 Support

🚪 Authentication

🌍 Translations

🔌 API Task

🏭 Back-End

⛲ Upstream

🔨 Feature Request

🛠️ Enhancement

🛠️ Enhancement

🛠️ Enhancement

❤️ Happy feedback

🔒 Security

🔍 Pending Validation

💆 UX

📝 WYSIWYG Editor

🌔 Out of scope

🔩 API Request

:octocat: Admin/Meta

🖌️ View Customization

❓ Question

🚀 Priority

🛡️ Blocked

🚚 Export System

♿ A11y

🔧 Maintenance

> Markdown Editor

pull-request

Mirrored from GitHub Pull Request

No Label 🐕 Support

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#5193