Add tri-state content permissions (Allow / Deny / Inherit) to fix role override issues #5327

New Issue

Open

opened 2026-02-05 09:58:00 +03:00 by OVERLORD · 0 comments

OVERLORD commented 2026-02-05 09:58:00 +03:00

Owner

Copy Link

Originally created by @rozdun on GitHub (Jun 23, 2025).

Describe the feature you'd like

Add tri-state permissions at the content level: Allow, Deny, and Inherit. Right now, assigning a role to a book or shelf with limited permissions (e.g. just "View") cancels out global permissions from other roles the user might have, like "Edit" or "Delete". The system treats any content-level role assignment as a full override, even when it only specifies one permission. Tri-state would let us say: “this role can View here, but for everything else, fall back to the global role permissions.”

Describe the benefits this would bring to existing BookStack users

This would make permission behavior match how people expect roles to work. For example:

• You have multiple team roles (e.g. Team X, Team Y) that give View access to different sets of books.
• You have a Team Leader role with global Edit/Delete rights.

Right now, if you assign Team X to a book with just View, users with both roles can no longer edit, because the presence of Team X alone overrides Team Leader. This makes global roles useless unless they’re manually added to every item.

Tri-state permissions would fix this. You could give View to Team X while letting Team Leader keep its global rights. It simplifies permission management, avoids duplication, and better reflects real-world setups where team leaders need elevated access across many areas without micromanaging every shelf or page.

Can the goal of this request already be achieved via other means?

No. The only workaround is to manually reassign the global role at every content item, along with its permissions - defeating the purpose of having global roles and inheritance.

Have you searched for an existing open/closed issue?

• I have searched for existing issues and none cover my fundamental request

How long have you been using BookStack?

Under 3 months

Additional context

Tri-state permission logic ensures scoped overrides don’t accidentally block broader access. BookStack’s permission system is already robust, but this adjustment would resolve an unintuitive edge case and bring it closer to established access control standards.

Originally created by @rozdun on GitHub (Jun 23, 2025). ### Describe the feature you'd like Add tri-state permissions at the content level: **Allow,** **Deny,** and **Inherit.** Right now, assigning a role to a book or shelf with limited permissions (e.g. just "View") cancels out global permissions from other roles the user might have, like "Edit" or "Delete". The system treats any content-level role assignment as a full override, even when it only specifies one permission. Tri-state would let us say: “this role can View here, but for everything else, fall back to the global role permissions.” ### Describe the benefits this would bring to existing BookStack users This would make permission behavior match how people expect roles to work. For example: - You have multiple team roles (e.g. **Team X**, **Team Y**) that give _View_ access to different sets of books. - You have a **Team Leader** role with global _Edit/Delete_ rights. Right now, if you assign **Team X** to a book with just _View,_ users with both roles can no longer edit, because the presence of **Team X** alone overrides **Team Leader**. This makes global roles useless unless they’re manually added to every item. Tri-state permissions would fix this. You could give _View_ to **Team X** while letting **Team Leader** keep its global rights. It simplifies permission management, avoids duplication, and better reflects real-world setups where team leaders need elevated access across many areas without micromanaging every shelf or page. ### Can the goal of this request already be achieved via other means? No. The only workaround is to manually reassign the global role at every content item, along with its permissions - defeating the purpose of having global roles and inheritance. ### Have you searched for an existing open/closed issue? - [x] I have searched for existing issues and none cover my fundamental request ### How long have you been using BookStack? Under 3 months ### Additional context Tri-state permission logic ensures scoped overrides don’t accidentally block broader access. BookStack’s permission system is already robust, but this adjustment would resolve an unintuitive edge case and bring it closer to established access control standards.

OVERLORD added the 🔨 Feature Request label 2026-02-05 09:58:00 +03:00

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

development

further_theme_development

l10n_development

release

llm_only

vectors

v25-11

docker_env

drawio_rendering

user_permissions

ldap_host_failover

svg_image

prosemirror

captcha_example

fix/video-export

v25.12.3

v25.12.2

v25.12.1

v25.12

v25.11.6

v25.11.5

v25.11.4

v24.11.4

v25.11.3

v25.11.2

v25.11.1

v25.11

v25.07.3

v25.07.2

v25.07.1

v25.07

v25.05.2

v25.05.1

v25.05

v25.02.5

v25.02.4

v25.02.3

v25.02.2

v25.02.1

v25.02

v24.12.1

v24.12

v24.10.3

v24.10.2

v24.10.1

v24.10

v24.05.4

v24.05.3

v24.05.2

v24.05.1

v24.05

v24.02.3

v24.02.2

v24.02.1

v24.02

v23.12.3

v23.12.2

v23.12.1

v23.12

v23.10.4

v23.10.3

v23.10.2

v23.10.1

v23.10

v23.08.3

v23.08.2

v23.08.1

v23.08

v23.06.2

v23.06.1

v23.06

v23.05.2

v23.05.1

v23.05

v23.02.3

v23.02.2

v23.02.1

v23.02

v23.01.1

v23.01

v22.11.1

v22.11

v22.10.2

v22.10.1

v22.10

v22.09.1

v22.09

v22.07.3

v22.07.2

v22.07.1

v22.07

v22.06.2

v22.06.1

v22.06

v22.04.2

v22.04.1

v22.04

v22.03.1

v22.03

v22.02.3

v22.02.2

v22.02.1

v22.02

v21.12.5

v21.12.4

v21.12.3

v21.12.2

v21.12.1

v21.12

v21.11.3

v21.11.2

v21.11.1

v21.11

v21.10.3

v21.10.2

v21.10.1

v21.10

v21.08.6

v21.08.5

v21.08.4

v21.08.3

v21.08.2

v21.08.1

v21.08

v21.05.4

v21.05.3

v21.05.2

v21.05.1

v21.05

v21.04.6

v21.04.5

v21.04.4

v21.04.3

v21.04.2

v21.04.1

v21.04

v0.31.8

v0.31.7

v0.31.6

v0.31.5

v0.31.4

v0.31.3

v0.31.2

v0.31.1

v0.31.0

v0.30.7

v0.30.6

v0.30.5

v0.30.4

v0.30.3

v0.30.2

v0.30.1

v0.30.0

v0.29.3

v0.29.2

v0.29.1

v0.29.0

v0.28.3

v0.28.2

v0.28.1

v0.28.0

v0.27.5

v0.27.4

v0.27.3

v0.27.2

v0.27.1

v0.27

v0.26.4

v0.26.3

v0.26.2

v0.26.1

v0.26.0

v0.25.5

v0.25.4

v0.25.3

v0.25.2

v0.25.1

v0.25.0

v0.24.3

v0.24.2

v0.24.1

v0.24.0

v0.23.2

v0.23.1

v0.23.0

v0.22.0

v0.21.0

v0.20.3

v0.20.2

v0.20.1

v0.20.0

v0.19.0

v0.18.5

v0.18.4

v0.18.3

v0.18.2

v0.18.1

v0.18.0

v0.17.4

v0.17.3

v0.17.2

v0.17.1

v0.17.0

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.13.1

v0.13.0

v0.12.2

v0.12.1

v0.12.0

v0.11.2

v0.11.1

v0.11.0

v0.10.0

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.2

v0.8.1

v0.8.0

v0.7.6

v0.7.5

v0.7.4

v0.7.3

0.7.2

v.0.7.1

v0.7.0

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.0

Labels

Clear labels

🎨 Design

📖 Docs Update

🐛 Bug

🐛 Bug

:cat2:🐈 Possible duplicate

💿 Database

☕ Open to discussion

💻 Front-End

🐕 Support

🚪 Authentication

🌍 Translations

🔌 API Task

🏭 Back-End

⛲ Upstream

🔨 Feature Request

🛠️ Enhancement

🛠️ Enhancement

🛠️ Enhancement

❤️ Happy feedback

🔒 Security

🔍 Pending Validation

💆 UX

📝 WYSIWYG Editor

🌔 Out of scope

🔩 API Request

:octocat: Admin/Meta

🖌️ View Customization

❓ Question

🚀 Priority

🛡️ Blocked

🚚 Export System

♿ A11y

🔧 Maintenance

> Markdown Editor

pull-request

Mirrored from GitHub Pull Request

No Label 🔨 Feature Request

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#5327