Users with Edit permissions can Override the Delete capabilities #5307

New Issue

Open

opened 2026-02-05 09:56:38 +03:00 by OVERLORD · 2 comments

OVERLORD commented 2026-02-05 09:56:38 +03:00

Owner

Copy Link

Originally created by @joshhcd on GitHub (Jun 4, 2025).

Describe the Bug

I believe this is currently "as expected", however its an issue a user brought up to me last week.

I currently have all user assigned roles to not include delete capabilities, so that nothing is removed without an administrators consent.

However, uses with Edit permission can simply edit the permissions of the entity and uncheck Inherit defaults, allowing them to grant permission to delete the book/page/etc.

Steps to Reproduce

1. Remove delete permissions from a role for all entities, but leave edit permissions

2. Go to any entity and "edit" permissions
   

3. Simply uncheck Inherit defaults, and check the delete permission. You can now delete the entity.

Expected Behaviour

Ideally, specifically for the delete function, this should be disabled when it is unchecked on a role level. Users should not be able to access the delete button by manually assigning permissions.

At the very least, this should be a separate toggle on a role level.

Screenshots or Additional Context

No response

Browser Details

No response

Exact BookStack Version

v25.02.3

Originally created by @joshhcd on GitHub (Jun 4, 2025). ### Describe the Bug I believe this is currently "as expected", however its an issue a user brought up to me last week. I currently have all user assigned roles to not include delete capabilities, so that nothing is removed without an administrators consent. However, uses with Edit permission can simply edit the permissions of the entity and uncheck Inherit defaults, allowing them to grant permission to delete the book/page/etc. ### Steps to Reproduce 1. Remove delete permissions from a role for all entities, but leave edit permissions  2. Go to any entity and "edit" permissions   3. Simply uncheck Inherit defaults, and check the delete permission. You can now delete the entity. ### Expected Behaviour Ideally, specifically for the delete function, this should be disabled when it is unchecked on a role level. Users should not be able to access the delete button by manually assigning permissions. At the very least, this should be a separate toggle on a role level. ### Screenshots or Additional Context _No response_ ### Browser Details _No response_ ### Exact BookStack Version v25.02.3

OVERLORD added the 🐛 Bug label 2026-02-05 09:56:38 +03:00

OVERLORD commented 2026-02-05 09:56:40 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Jun 5, 2025):

Thanks for the input @joshhcd, but to be honest I wouldn't be keen on having different behaviour for delete compared to others, or otherwise adding complexity (options, extra control) to work around this somewhat specific scenario which essentially comes down to expectations/understanding.

I would expect that specifically assigning delete permission to provide the ability to delete.
If you expected that to intersect with the role level permission, then really I'd have thought you would expect the same for the other permissions too, and then the result is quite a different permission system behaviour.

@ssddanbrown commented on GitHub (Jun 5, 2025): Thanks for the input @joshhcd, but to be honest I wouldn't be keen on having different behaviour for delete compared to others, or otherwise adding complexity (options, extra control) to work around this somewhat specific scenario which essentially comes down to expectations/understanding. I would expect that specifically assigning delete permission to provide the ability to delete. If you expected that to intersect with the role level permission, then really I'd have thought you would expect the same for the other permissions too, and then the result is quite a different permission system behaviour.

OVERLORD commented 2026-02-05 09:56:42 +03:00

Author

Owner

Copy Link

@joshhcd commented on GitHub (Jun 9, 2025):

Thanks for the reply @ssddanbrown ,

I agree that it boils down to understanding what the limitations are, if you allow role permissions to be overridden.

The current setup however makes it impossible to restrict object deletion based on a role level, while still allowing users to modify the books pages itself. This issue is only a security concern from a delete perspective, not from a view/update/create perspective.

I would expect that specifically assigning delete permission to provide the ability to delete. If you expected that to intersect with the role level permission, then really I'd have thought you would expect the same for the other permissions too, and then the result is quite a different permission system behaviour.

The reason being is that It is possible to restrict editing based on the role, and since the user does not have editing privileges, they do not have access to the permissions page to give themselves access. This should be a fairly simple and unintrusive to change the page permission level, to simply not show the user the delete checkbox, if their role does not allow them to delete.

While this change does not inherently prohibit the delete checkbox from being activated by a higher level user for that role, it would prevent privilege-escalation risk.

@joshhcd commented on GitHub (Jun 9, 2025): Thanks for the reply @ssddanbrown , I agree that it boils down to understanding what the limitations are, if you allow role permissions to be overridden. The current setup however makes it impossible to restrict object deletion based on a role level, while still allowing users to modify the books pages itself. This issue is only a security concern from a delete perspective, not from a view/update/create perspective. > I would expect that specifically assigning delete permission to provide the ability to delete. If you expected that to intersect with the role level permission, then really I'd have thought you would expect the same for the other permissions too, and then the result is quite a different permission system behaviour. The reason being is that It *is* possible to restrict editing based on the role, and since the user does not have editing privileges, they do not have access to the permissions page to give themselves access. This should be a fairly simple and unintrusive to change the page permission level, to simply not show the user the delete checkbox, if their role does not allow them to delete. While this change does not inherently prohibit the delete checkbox from being activated by a higher level user for that role, it would prevent privilege-escalation risk.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

development

l10n_development

release

v25-12

llm_only

vectors

v25-11

docker_env

drawio_rendering

user_permissions

ldap_host_failover

svg_image

prosemirror

captcha_example

fix/video-export

v25.12.3

v25.12.2

v25.12.1

v25.12

v25.11.6

v25.11.5

v25.11.4

v24.11.4

v25.11.3

v25.11.2

v25.11.1

v25.11

v25.07.3

v25.07.2

v25.07.1

v25.07

v25.05.2

v25.05.1

v25.05

v25.02.5

v25.02.4

v25.02.3

v25.02.2

v25.02.1

v25.02

v24.12.1

v24.12

v24.10.3

v24.10.2

v24.10.1

v24.10

v24.05.4

v24.05.3

v24.05.2

v24.05.1

v24.05

v24.02.3

v24.02.2

v24.02.1

v24.02

v23.12.3

v23.12.2

v23.12.1

v23.12

v23.10.4

v23.10.3

v23.10.2

v23.10.1

v23.10

v23.08.3

v23.08.2

v23.08.1

v23.08

v23.06.2

v23.06.1

v23.06

v23.05.2

v23.05.1

v23.05

v23.02.3

v23.02.2

v23.02.1

v23.02

v23.01.1

v23.01

v22.11.1

v22.11

v22.10.2

v22.10.1

v22.10

v22.09.1

v22.09

v22.07.3

v22.07.2

v22.07.1

v22.07

v22.06.2

v22.06.1

v22.06

v22.04.2

v22.04.1

v22.04

v22.03.1

v22.03

v22.02.3

v22.02.2

v22.02.1

v22.02

v21.12.5

v21.12.4

v21.12.3

v21.12.2

v21.12.1

v21.12

v21.11.3

v21.11.2

v21.11.1

v21.11

v21.10.3

v21.10.2

v21.10.1

v21.10

v21.08.6

v21.08.5

v21.08.4

v21.08.3

v21.08.2

v21.08.1

v21.08

v21.05.4

v21.05.3

v21.05.2

v21.05.1

v21.05

v21.04.6

v21.04.5

v21.04.4

v21.04.3

v21.04.2

v21.04.1

v21.04

v0.31.8

v0.31.7

v0.31.6

v0.31.5

v0.31.4

v0.31.3

v0.31.2

v0.31.1

v0.31.0

v0.30.7

v0.30.6

v0.30.5

v0.30.4

v0.30.3

v0.30.2

v0.30.1

v0.30.0

v0.29.3

v0.29.2

v0.29.1

v0.29.0

v0.28.3

v0.28.2

v0.28.1

v0.28.0

v0.27.5

v0.27.4

v0.27.3

v0.27.2

v0.27.1

v0.27

v0.26.4

v0.26.3

v0.26.2

v0.26.1

v0.26.0

v0.25.5

v0.25.4

v0.25.3

v0.25.2

v0.25.1

v0.25.0

v0.24.3

v0.24.2

v0.24.1

v0.24.0

v0.23.2

v0.23.1

v0.23.0

v0.22.0

v0.21.0

v0.20.3

v0.20.2

v0.20.1

v0.20.0

v0.19.0

v0.18.5

v0.18.4

v0.18.3

v0.18.2

v0.18.1

v0.18.0

v0.17.4

v0.17.3

v0.17.2

v0.17.1

v0.17.0

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.13.1

v0.13.0

v0.12.2

v0.12.1

v0.12.0

v0.11.2

v0.11.1

v0.11.0

v0.10.0

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.2

v0.8.1

v0.8.0

v0.7.6

v0.7.5

v0.7.4

v0.7.3

0.7.2

v.0.7.1

v0.7.0

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.0

Labels

Clear labels

🎨 Design

📖 Docs Update

🐛 Bug

🐛 Bug

:cat2:🐈 Possible duplicate

💿 Database

☕ Open to discussion

💻 Front-End

🐕 Support

🚪 Authentication

🌍 Translations

🔌 API Task

🏭 Back-End

⛲ Upstream

🔨 Feature Request

🛠️ Enhancement

🛠️ Enhancement

🛠️ Enhancement

❤️ Happy feedback

🔒 Security

🔍 Pending Validation

💆 UX

📝 WYSIWYG Editor

🌔 Out of scope

🔩 API Request

:octocat: Admin/Meta

🖌️ View Customization

❓ Question

🚀 Priority

🛡️ Blocked

🚚 Export System

♿ A11y

🔧 Maintenance

> Markdown Editor

pull-request

Mirrored from GitHub Pull Request

No Label 🐛 Bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#5307