Permission #5365

New Issue

Closed

opened 2026-02-05 10:00:29 +03:00 by OVERLORD · 2 comments

OVERLORD commented 2026-02-05 10:00:29 +03:00

Owner

Copy Link

Originally created by @Yarrax on GitHub (Jul 16, 2025).

Describe the Bug

Hello. I have a question about Permissions.

The permission rules are currently set up like this:

The problem we're facing is that if someone in our team creates a book, others can't see it. That's fine.

But if the author wants the book to be visible to others without giving them editing rights, then we need to change the "Common user" permissions.
In that case, according to the current setup, the role for "Common User" would look like this:

However, with this setup, the owner’s permissions get overwritten. As a result, even the owner of the book can’t edit or delete it anymore, regardless of the system settings.

It's looks like bug.

It seemed correct to me that overriding a role shouldn't affect the owner. In other words, system-level settings should take precedence over role changes applied to an object.

Steps to Reproduce

1. Create book
2. Edit permissions not as admin

Expected Behaviour

Owner have permissions to create, edit and delete sub-objects (chapters, pages etc.)

Screenshots or Additional Context

No response

Browser Details

No response

Exact BookStack Version

v25.05

Originally created by @Yarrax on GitHub (Jul 16, 2025). ### Describe the Bug Hello. I have a question about Permissions. The permission rules are currently set up like this: <img width="742" height="788" alt="Image" src="https://github.com/user-attachments/assets/2f06d7f0-1a8d-4c37-9b54-f4ce75c839fb" /> <img width="760" height="825" alt="Image" src="https://github.com/user-attachments/assets/7dadfda1-c498-451c-a963-7c1bd6b6a624" /> The problem we're facing is that if someone in our team creates a book, others can't see it. That's fine. But if the author wants the book to be visible to others without giving them editing rights, then we need to change the "Common user" permissions. In that case, according to the current setup, the role for "Common User" would look like this: <img width="1295" height="160" alt="Image" src="https://github.com/user-attachments/assets/1684638f-753c-4a34-9fe3-e9fbf19c8449" /> However, with this setup, the owner’s permissions get overwritten. As a result, even the owner of the book can’t edit or delete it anymore, regardless of the system settings. It's looks like bug. It seemed correct to me that overriding a role shouldn't affect the owner. In other words, system-level settings should take precedence over role changes applied to an object. ### Steps to Reproduce 1. Create book 2. Edit permissions not as admin ### Expected Behaviour Owner have permissions to create, edit and delete sub-objects (chapters, pages etc.) ### Screenshots or Additional Context _No response_ ### Browser Details _No response_ ### Exact BookStack Version v25.05

OVERLORD added the 🐛 Bug label 2026-02-05 10:00:29 +03:00

OVERLORD closed this issue 2026-02-05 10:00:30 +03:00

OVERLORD commented 2026-02-05 10:00:31 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Jul 16, 2025):

Hi @Yarrax,
That's expected (assuming the owner is part of that group) since the role level permissions are more specific, and the item-level role permission override acts as a deny as much as an allow.
I appreciate this may be a hinderance to many scenarios though.

Existing issue #5672 is already open to suggest a means to allow overrides via a means which still allows inheritance in some form.

@ssddanbrown commented on GitHub (Jul 16, 2025): Hi @Yarrax, That's expected (assuming the owner is part of that group) since the role level permissions are more specific, and the item-level role permission override acts as a deny as much as an allow. I appreciate this may be a hinderance to many scenarios though. Existing issue #5672 is already open to suggest a means to allow overrides via a means which still allows inheritance in some form.

OVERLORD commented 2026-02-05 10:00:33 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Jul 23, 2025):

Since there's been no further follow-up on this I'll go ahead and close it off.

@ssddanbrown commented on GitHub (Jul 23, 2025): Since there's been no further follow-up on this I'll go ahead and close it off.

OVERLORD referenced this issue 2026-02-05 10:33:30 +03:00

[PR #5365] [MERGED] Range of fixes/updates for the new Lexical based editor #6483

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

development

l10n_development

further_theme_development

release

llm_only

vectors

v25-11

docker_env

drawio_rendering

user_permissions

ldap_host_failover

svg_image

prosemirror

captcha_example

fix/video-export

v25.12.3

v25.12.2

v25.12.1

v25.12

v25.11.6

v25.11.5

v25.11.4

v24.11.4

v25.11.3

v25.11.2

v25.11.1

v25.11

v25.07.3

v25.07.2

v25.07.1

v25.07

v25.05.2

v25.05.1

v25.05

v25.02.5

v25.02.4

v25.02.3

v25.02.2

v25.02.1

v25.02

v24.12.1

v24.12

v24.10.3

v24.10.2

v24.10.1

v24.10

v24.05.4

v24.05.3

v24.05.2

v24.05.1

v24.05

v24.02.3

v24.02.2

v24.02.1

v24.02

v23.12.3

v23.12.2

v23.12.1

v23.12

v23.10.4

v23.10.3

v23.10.2

v23.10.1

v23.10

v23.08.3

v23.08.2

v23.08.1

v23.08

v23.06.2

v23.06.1

v23.06

v23.05.2

v23.05.1

v23.05

v23.02.3

v23.02.2

v23.02.1

v23.02

v23.01.1

v23.01

v22.11.1

v22.11

v22.10.2

v22.10.1

v22.10

v22.09.1

v22.09

v22.07.3

v22.07.2

v22.07.1

v22.07

v22.06.2

v22.06.1

v22.06

v22.04.2

v22.04.1

v22.04

v22.03.1

v22.03

v22.02.3

v22.02.2

v22.02.1

v22.02

v21.12.5

v21.12.4

v21.12.3

v21.12.2

v21.12.1

v21.12

v21.11.3

v21.11.2

v21.11.1

v21.11

v21.10.3

v21.10.2

v21.10.1

v21.10

v21.08.6

v21.08.5

v21.08.4

v21.08.3

v21.08.2

v21.08.1

v21.08

v21.05.4

v21.05.3

v21.05.2

v21.05.1

v21.05

v21.04.6

v21.04.5

v21.04.4

v21.04.3

v21.04.2

v21.04.1

v21.04

v0.31.8

v0.31.7

v0.31.6

v0.31.5

v0.31.4

v0.31.3

v0.31.2

v0.31.1

v0.31.0

v0.30.7

v0.30.6

v0.30.5

v0.30.4

v0.30.3

v0.30.2

v0.30.1

v0.30.0

v0.29.3

v0.29.2

v0.29.1

v0.29.0

v0.28.3

v0.28.2

v0.28.1

v0.28.0

v0.27.5

v0.27.4

v0.27.3

v0.27.2

v0.27.1

v0.27

v0.26.4

v0.26.3

v0.26.2

v0.26.1

v0.26.0

v0.25.5

v0.25.4

v0.25.3

v0.25.2

v0.25.1

v0.25.0

v0.24.3

v0.24.2

v0.24.1

v0.24.0

v0.23.2

v0.23.1

v0.23.0

v0.22.0

v0.21.0

v0.20.3

v0.20.2

v0.20.1

v0.20.0

v0.19.0

v0.18.5

v0.18.4

v0.18.3

v0.18.2

v0.18.1

v0.18.0

v0.17.4

v0.17.3

v0.17.2

v0.17.1

v0.17.0

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.13.1

v0.13.0

v0.12.2

v0.12.1

v0.12.0

v0.11.2

v0.11.1

v0.11.0

v0.10.0

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.2

v0.8.1

v0.8.0

v0.7.6

v0.7.5

v0.7.4

v0.7.3

0.7.2

v.0.7.1

v0.7.0

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.0

Labels

Clear labels

🎨 Design

📖 Docs Update

🐛 Bug

🐛 Bug

:cat2:🐈 Possible duplicate

💿 Database

☕ Open to discussion

💻 Front-End

🐕 Support

🚪 Authentication

🌍 Translations

🔌 API Task

🏭 Back-End

⛲ Upstream

🔨 Feature Request

🛠️ Enhancement

🛠️ Enhancement

🛠️ Enhancement

❤️ Happy feedback

🔒 Security

🔍 Pending Validation

💆 UX

📝 WYSIWYG Editor

🌔 Out of scope

🔩 API Request

:octocat: Admin/Meta

🖌️ View Customization

❓ Question

🚀 Priority

🛡️ Blocked

🚚 Export System

♿ A11y

🔧 Maintenance

> Markdown Editor

pull-request

Mirrored from GitHub Pull Request

No Label 🐛 Bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#5365