mirror of
https://github.com/BookStackApp/BookStack.git
synced 2026-05-04 18:08:46 +03:00
User Groups and Permissions #54
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @cpressland on GitHub (Feb 4, 2016).
Originally assigned to: @ssddanbrown on GitHub.
It'd be nice to be able to define groups of users and then define on a Page or Chapter level if they're able to view said Page/Chapter.
For example, I have two groups, "Infrastructure" & "Developers"
I have a page called "Super Secret Information"
I may want "Infrastructure" to be able to view and edit "Super Secret Information" but "Developers" won't even be aware the page exists.
However, if a member of the "Developers" group is an Admin they should always be able to see everything. This should only apply to Viewers and Editors.
@tuudik commented on GitHub (Feb 26, 2016):
Yeah, currently ACL is missing. Would love it! 👍
@kristjankullerkann commented on GitHub (Feb 26, 2016):
👍
@armouredking commented on GitHub (Feb 27, 2016):
Piggybacking - It'd be nice for it to also have the ability to have multiuser controls. The way Bookstack is made, it'd be great for say a fan story site. However, atm there is only the three levels Viewer / Editor / Admin. Viewers can't create books, and Editors can write to any book. It'd be nice if there was a fourth level, between Viewers and Editor ( Author? ) where they can create books and edit their own books but nobody else's.
@ssddanbrown commented on GitHub (Feb 27, 2016):
The current permissions system is currently database driven so adding an interface to allow custom roles is definitely possible. The tricky part will be checking permissions every time an entity is shown but I'm sure I can figure it out. I've marked this up as my next major feature to work on.
@armouredking In implementing the base issue this should be covered as you'll be able to create custom roles. I'll ensure to have one of the assignable permissions to be something like 'Can edit own content' so you'll be able to create an 'Author' user as that's a great idea.
@ssddanbrown commented on GitHub (Mar 6, 2016):
As of the latest release all the above is now possible. Details on the new roles & restriction systems can be found here: https://www.bookstackapp.com/blog/beta-release-v0-7-6/
Due to large changes there still may be some holes in this system. If any problems are found please open a new issue.
@tuudik commented on GitHub (Mar 8, 2016):
@ssddanbrown 👏 Nice job!
Does it work also with LDAP? :)
@ssddanbrown commented on GitHub (Mar 8, 2016):
@tuudik No 😞
I've just opened #75 specifically for this.
Since I'm not too familiar with LDAP, what would be the ideal way of mapping LDAP groups to roles? Would assigning group DN's on each role be sufficient?
@tuudik commented on GitHub (Mar 8, 2016):
Maybe, if just adding possibilty to add custom filter to each role admin creates would work? @litewhatever what do you think?
@kristjankullerkann commented on GitHub (Mar 8, 2016):
If it isn't already possible then easiest solution would probably be to just syncronize LDAP users to Bookstack and then assign those to Bookstack roles.
There should probably be ability to define a ldap query filter to narrow down which users are being syncronized.
@kristjankullerkann commented on GitHub (Mar 8, 2016):
A more difficult approach would be to define roles within ldap and then syncronize LDAP users and roles to Bookstack and assign permissions to those (Confluence is using this approach if I'm not mistaking).
This is a bit compliated as there are various ways how groups/roles are being built inside ldap.
You could use posixGroup objectClass which defines members as memberUid attribute (they map to user uid) or groupofNames objectClass which define members as member attribute (they map to user full DN).