Error when user without permissions accesses attachment link #559

New Issue

OVERLORD · 2026-02-04T21:01:02+03:00

OVERLORD commented

2026-02-04 21:01:02 +03:00

Originally created by @svarlamov on GitHub (Jan 28, 2018).

Originally assigned to: @ssddanbrown on GitHub.

For Bug Reports

BookStack Version (Found in settings, Please don't put 'latest'): master branch commit f4bfbf91db
PHP Version: 7.1.10
MySQL Version: 5.7.20

Expected Behavior

User should see a 403 (or 404 if we wish to 'hide' it) page

Current Behavior

User gets a "An unknown error occurred" page. In the console log, we see:

production.ERROR: Type error: Argument 2 passed to BookStack\\Http\\Controllers\\Controller::checkOwnablePermission() must be an instance of BookStack\\Ownable, null given, called in /var/www/bookstack/app/Http/Controllers/AttachmentController.php on line 190 {"exception":"[object] (Symfony\\\\Component\\\\Debug\\\\Exception\\\\FatalThrowableError(code: 0): Type error: Argument 2 passed to BookStack\\\\Http\\\\Controllers\\\\Controller::checkOwnablePermission() must be an instance of BookStack\\\\Ownable, null given, called in /var/www/bookstack/app/Http/Controllers/AttachmentController.php on line 190 at /var/www/bookstack/app/Http/Controllers/Controller.php:101)"} []

Steps to Reproduce

Create a page with an attachment.
Set custom permissions for the page that prohibit your user in step 3 from viewing the page
As a user that doesn't have view privileges to the page, navigate to the link for the attachment (ie., http://localhost:8080/attachments/1)

Originally created by @svarlamov on GitHub (Jan 28, 2018). Originally assigned to: @ssddanbrown on GitHub. ### For Bug Reports * BookStack Version *(Found in settings, Please don't put 'latest')*: master branch commit f4bfbf91db0c2d1d522ff12d071e0c26e99f766f * PHP Version: 7.1.10 * MySQL Version: 5.7.20 ##### Expected Behavior User should see a 403 (or 404 if we wish to 'hide' it) page ##### Current Behavior User gets a "An unknown error occurred" page. In the console log, we see: ``` production.ERROR: Type error: Argument 2 passed to BookStack\\Http\\Controllers\\Controller::checkOwnablePermission() must be an instance of BookStack\\Ownable, null given, called in /var/www/bookstack/app/Http/Controllers/AttachmentController.php on line 190 {"exception":"[object] (Symfony\\\\Component\\\\Debug\\\\Exception\\\\FatalThrowableError(code: 0): Type error: Argument 2 passed to BookStack\\\\Http\\\\Controllers\\\\Controller::checkOwnablePermission() must be an instance of BookStack\\\\Ownable, null given, called in /var/www/bookstack/app/Http/Controllers/AttachmentController.php on line 190 at /var/www/bookstack/app/Http/Controllers/Controller.php:101)"} [] ``` ##### Steps to Reproduce 1) Create a page with an attachment. 2) Set custom permissions for the page that prohibit your user in step 3 from viewing the page 3) As a user that doesn't have view privileges to the page, navigate to the link for the attachment (ie., http://localhost:8080/attachments/1)

OVERLORD added the 🐛 Bug label 2026-02-04 21:01:02 +03:00

OVERLORD closed this issue

2026-02-04 21:01:09 +03:00

OVERLORD commented

2026-02-04 21:01:14 +03:00

@ssddanbrown commented on GitHub (Feb 11, 2018):

Thanks for reporting, Will be fixed in the next release.

@ssddanbrown commented on GitHub (Feb 11, 2018): Thanks for reporting, Will be fixed in the next release.

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#559