Public image access denied #5515

New Issue

Closed

opened 2026-02-05 10:08:01 +03:00 by OVERLORD · 5 comments

OVERLORD commented 2026-02-05 10:08:01 +03:00

Owner

Copy Link

Originally created by @RFrost619 on GitHub (Nov 20, 2025).

Describe the Bug

After upgrading to v25.11.2, public users who have access to a page do not receive access to images.

Steps to Reproduce

Upgrade docker image container from v25.11.1 to v25.11.2. Refresh web page when user is not authenticated. Unauthenticated users lose access to images.

Expected Behaviour

Users should retain access to images where they have been provided access to the web page.

Screenshots or Additional Context

Attempted to run the following commands which had no effect:

php artisan bookstack:regenerate-permissions
php artisan bookstack:regenerate-references

Permissions on the files appear to be correct, and downgrading the version resolves the problem.

Browser Details

Firefox and chrome were used to test

Exact BookStack Version

v25.11.2

Originally created by @RFrost619 on GitHub (Nov 20, 2025). ### Describe the Bug After upgrading to v25.11.2, public users who have access to a page do not receive access to images. ### Steps to Reproduce Upgrade docker image container from v25.11.1 to v25.11.2. Refresh web page when user is not authenticated. Unauthenticated users lose access to images. ### Expected Behaviour Users should retain access to images where they have been provided access to the web page. ### Screenshots or Additional Context Attempted to run the following commands which had no effect: php artisan bookstack:regenerate-permissions php artisan bookstack:regenerate-references Permissions on the files appear to be correct, and downgrading the version resolves the problem. ### Browser Details Firefox and chrome were used to test ### Exact BookStack Version v25.11.2

OVERLORD added the 🐛 Bug🚀 Priority labels 2026-02-05 10:08:01 +03:00

OVERLORD closed this issue 2026-02-05 10:08:02 +03:00

OVERLORD commented 2026-02-05 10:08:04 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Nov 21, 2025):

Hi @RFrost619,
Thanks for reporting, I think I may have just not consider a config & user scenario when making recent image control changes.

Just to confirm, do you have any STORAGE_* options set within your BookStack env config? And if so, what settings/values do you have set? (where not containing credentials).

@ssddanbrown commented on GitHub (Nov 21, 2025): Hi @RFrost619, Thanks for reporting, I think I may have just not consider a config & user scenario when making recent image control changes. Just to confirm, do you have any `STORAGE_*` options set within your BookStack env config? And if so, what settings/values do you have set? (where not containing credentials).

OVERLORD commented 2026-02-05 10:08:06 +03:00

Author

Owner

Copy Link

@RFrost619 commented on GitHub (Nov 21, 2025):

Hi @ssddanbrown,

Of course!

I do have STORAGE_TYPE=local_secure_restricted. Outside of the basic app, port, password options, I am using OIDC and mail variables.

Cleansed .env:

APP_URL=https://my.site.url
APP_PORT=443
DB_PASSWORD=strong_pass_1
DB_ROOT_PASSWORD=strong_pass_2
WEB_PORT=8080
STORAGE_TYPE=local_secure_restricted
AUTH_METHOD=oidc
AUTH_AUTO_INITIATE=false
OIDC_NAME=authentik
OIDC_DISPLAY_NAME_CLAIMS=name
OIDC_CLIENT_ID=client_id
OIDC_CLIENT_SECRET=client_secret
OIDC_ISSUER=https://authentik.io/application/o/bookstack/
OIDC_ISSUER_DISCOVER=true
OIDC_END_SESSION_ENDPOINT=true
OIDC_USER_TO_GROUPS=true
OIDC_GROUPS_CLAIM=groups
OIDC_ADDITIONAL_SCOPES=groups
OIDC_REMOVE_FROM_GROUPS=true
MAIL_DRIVER=smtp
MAIL_HOST=smtp.mail.com
MAIL_PORT=465
MAIL_ENCRYPTION=tls
MAIL_USERNAME=bookstack@site.url
MAIL_PASSWORD=strong_pass_3
MAIL_FROM=bookstack@site.url
MAIL_FROM_NAME=BookStack

@RFrost619 commented on GitHub (Nov 21, 2025): Hi @ssddanbrown, Of course! I do have STORAGE_TYPE=local_secure_restricted. Outside of the basic app, port, password options, I am using OIDC and mail variables. Cleansed .env: APP_URL=https://my.site.url APP_PORT=443 DB_PASSWORD=strong_pass_1 DB_ROOT_PASSWORD=strong_pass_2 WEB_PORT=8080 STORAGE_TYPE=local_secure_restricted AUTH_METHOD=oidc AUTH_AUTO_INITIATE=false OIDC_NAME=authentik OIDC_DISPLAY_NAME_CLAIMS=name OIDC_CLIENT_ID=client_id OIDC_CLIENT_SECRET=client_secret OIDC_ISSUER=https://authentik.io/application/o/bookstack/ OIDC_ISSUER_DISCOVER=true OIDC_END_SESSION_ENDPOINT=true OIDC_USER_TO_GROUPS=true OIDC_GROUPS_CLAIM=groups OIDC_ADDITIONAL_SCOPES=groups OIDC_REMOVE_FROM_GROUPS=true MAIL_DRIVER=smtp MAIL_HOST=smtp.mail.com MAIL_PORT=465 MAIL_ENCRYPTION=tls MAIL_USERNAME=bookstack@site.url MAIL_PASSWORD=strong_pass_3 MAIL_FROM=bookstack@site.url MAIL_FROM_NAME=BookStack

OVERLORD commented 2026-02-05 10:08:08 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Nov 21, 2025):

@RFrost619 Thanks for providing those details.

This confirms the scenario I had thought I had missed, where local_secure_restricted is used with public/guest access.
Apologies, I'll prioritise this to a patch release.

@ssddanbrown commented on GitHub (Nov 21, 2025): @RFrost619 Thanks for providing those details. This confirms the scenario I had thought I had missed, where `local_secure_restricted` is used with public/guest access. Apologies, I'll prioritise this to a patch release.

OVERLORD commented 2026-02-05 10:08:10 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Nov 21, 2025):

This has now been addressed as part of #5909, and will be part of Bookstack v25.11.3 which will be released shortly.
Thanks again @RFrost619 for raising.

@ssddanbrown commented on GitHub (Nov 21, 2025): This has now been addressed as part of #5909, and will be part of Bookstack v25.11.3 which will be released shortly. Thanks again @RFrost619 for raising.

OVERLORD commented 2026-02-05 10:08:11 +03:00

Author

Owner

Copy Link

@RFrost619 commented on GitHub (Dec 1, 2025):

Just wanted to circle around and confirm this issue is resolved for me in the latest version. I also wanted to say thanks again for the amazing work!

@RFrost619 commented on GitHub (Dec 1, 2025): Just wanted to circle around and confirm this issue is resolved for me in the latest version. I also wanted to say thanks again for the amazing work!

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

development

further_theme_development

l10n_development

release

llm_only

vectors

v25-11

docker_env

drawio_rendering

user_permissions

ldap_host_failover

svg_image

prosemirror

captcha_example

fix/video-export

v25.12.3

v25.12.2

v25.12.1

v25.12

v25.11.6

v25.11.5

v25.11.4

v24.11.4

v25.11.3

v25.11.2

v25.11.1

v25.11

v25.07.3

v25.07.2

v25.07.1

v25.07

v25.05.2

v25.05.1

v25.05

v25.02.5

v25.02.4

v25.02.3

v25.02.2

v25.02.1

v25.02

v24.12.1

v24.12

v24.10.3

v24.10.2

v24.10.1

v24.10

v24.05.4

v24.05.3

v24.05.2

v24.05.1

v24.05

v24.02.3

v24.02.2

v24.02.1

v24.02

v23.12.3

v23.12.2

v23.12.1

v23.12

v23.10.4

v23.10.3

v23.10.2

v23.10.1

v23.10

v23.08.3

v23.08.2

v23.08.1

v23.08

v23.06.2

v23.06.1

v23.06

v23.05.2

v23.05.1

v23.05

v23.02.3

v23.02.2

v23.02.1

v23.02

v23.01.1

v23.01

v22.11.1

v22.11

v22.10.2

v22.10.1

v22.10

v22.09.1

v22.09

v22.07.3

v22.07.2

v22.07.1

v22.07

v22.06.2

v22.06.1

v22.06

v22.04.2

v22.04.1

v22.04

v22.03.1

v22.03

v22.02.3

v22.02.2

v22.02.1

v22.02

v21.12.5

v21.12.4

v21.12.3

v21.12.2

v21.12.1

v21.12

v21.11.3

v21.11.2

v21.11.1

v21.11

v21.10.3

v21.10.2

v21.10.1

v21.10

v21.08.6

v21.08.5

v21.08.4

v21.08.3

v21.08.2

v21.08.1

v21.08

v21.05.4

v21.05.3

v21.05.2

v21.05.1

v21.05

v21.04.6

v21.04.5

v21.04.4

v21.04.3

v21.04.2

v21.04.1

v21.04

v0.31.8

v0.31.7

v0.31.6

v0.31.5

v0.31.4

v0.31.3

v0.31.2

v0.31.1

v0.31.0

v0.30.7

v0.30.6

v0.30.5

v0.30.4

v0.30.3

v0.30.2

v0.30.1

v0.30.0

v0.29.3

v0.29.2

v0.29.1

v0.29.0

v0.28.3

v0.28.2

v0.28.1

v0.28.0

v0.27.5

v0.27.4

v0.27.3

v0.27.2

v0.27.1

v0.27

v0.26.4

v0.26.3

v0.26.2

v0.26.1

v0.26.0

v0.25.5

v0.25.4

v0.25.3

v0.25.2

v0.25.1

v0.25.0

v0.24.3

v0.24.2

v0.24.1

v0.24.0

v0.23.2

v0.23.1

v0.23.0

v0.22.0

v0.21.0

v0.20.3

v0.20.2

v0.20.1

v0.20.0

v0.19.0

v0.18.5

v0.18.4

v0.18.3

v0.18.2

v0.18.1

v0.18.0

v0.17.4

v0.17.3

v0.17.2

v0.17.1

v0.17.0

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.13.1

v0.13.0

v0.12.2

v0.12.1

v0.12.0

v0.11.2

v0.11.1

v0.11.0

v0.10.0

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.2

v0.8.1

v0.8.0

v0.7.6

v0.7.5

v0.7.4

v0.7.3

0.7.2

v.0.7.1

v0.7.0

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.0

Labels

Clear labels

🎨 Design

📖 Docs Update

🐛 Bug

🐛 Bug

:cat2:🐈 Possible duplicate

💿 Database

☕ Open to discussion

💻 Front-End

🐕 Support

🚪 Authentication

🌍 Translations

🔌 API Task

🏭 Back-End

⛲ Upstream

🔨 Feature Request

🛠️ Enhancement

🛠️ Enhancement

🛠️ Enhancement

❤️ Happy feedback

🔒 Security

🔍 Pending Validation

💆 UX

📝 WYSIWYG Editor

🌔 Out of scope

🔩 API Request

:octocat: Admin/Meta

🖌️ View Customization

❓ Question

🚀 Priority

🛡️ Blocked

🚚 Export System

♿ A11y

🔧 Maintenance

> Markdown Editor

pull-request

Mirrored from GitHub Pull Request

No Label 🐛 Bug 🚀 Priority

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#5515