Custom permissions do not affect book cover images #910

New Issue

OVERLORD · 2026-02-04T22:53:51+03:00

OVERLORD commented

2026-02-04 22:53:51 +03:00

Originally created by @Bolthier on GitHub (Nov 17, 2018).

Describe the bug
Book cover image viewable and even deletable by user without any custom permissions (view, edit or delete) for a book.

Steps To Reproduce
Steps to reproduce the behavior:

Create 2 books (Book A and Book B) and 2 users (Alice and Bob)
Change custom permission: Book A so only Alice can view, edit and delete Book A
Give Bob permission to edit Book B (through custom or default)
Upload book cover image with Alice to Book A and save
Login with Bob > Edit Book B > Go to Cover Image Selection
Result: Bob can view Alice's cover image for Book A but but not the book itself. With default permission 'delete' Bob can even delete Alice's Book cover completely.

Expected behavior
Book cover images uploaded to not viewable books shouldn't be viewable in the image assets selection for other book covers. The same behaviour as for images in hidden pages.

Your Configuration (please complete the following information):

Exact BookStack Version (Found in settings): BookStack v0.24.2
PHP Version: 7.2
Hosting Method (Nginx/Apache/Docker): Apache2

Originally created by @Bolthier on GitHub (Nov 17, 2018). **Describe the bug** Book cover image viewable and even deletable by user without any custom permissions (view, edit or delete) for a book. **Steps To Reproduce** Steps to reproduce the behavior: 1. Create 2 books (Book A and Book B) and 2 users (Alice and Bob) 3. Change custom permission: Book A so only Alice can view, edit and delete Book A 4. Give Bob permission to edit Book B (through custom or default) 5. Upload book cover image with Alice to Book A and save 6. Login with Bob > Edit Book B > Go to Cover Image Selection Result: Bob can view Alice's cover image for Book A but but not the book itself. With default permission 'delete' Bob can even delete Alice's Book cover completely. **Expected behavior** Book cover images uploaded to not viewable books shouldn't be viewable in the image assets selection for other book covers. The same behaviour as for images in hidden pages. **Your Configuration (please complete the following information):** - Exact BookStack Version (Found in settings): BookStack v0.24.2 - PHP Version: 7.2 - Hosting Method (Nginx/Apache/Docker): Apache2

OVERLORD added the 🛠️ Enhancement 🔒 Security 💆 UX 💻 Front-End labels 2026-02-04 22:53:51 +03:00

OVERLORD closed this issue

2026-02-04 22:53:54 +03:00

OVERLORD commented

2026-02-04 22:53:59 +03:00

@ssddanbrown commented on GitHub (Nov 24, 2018):

Yeah, I think the image selection for books and shelves needs to be re-worked to not go through the manager, Instead directly select images.

@ssddanbrown commented on GitHub (Nov 24, 2018): Yeah, I think the image selection for books and shelves needs to be re-worked to not go through the manager, Instead directly select images.

OVERLORD commented

2026-02-04 22:54:04 +03:00

@ssddanbrown commented on GitHub (May 4, 2019):

Thanks for reporting @Bolthier.

As from the implementation of #1410, Cover images are now directly selected instead of using the image manager, therefore inheriting the permissions of the books. This will be part of the next release.

@ssddanbrown commented on GitHub (May 4, 2019): Thanks for reporting @Bolthier. As from the implementation of #1410, Cover images are now directly selected instead of using the image manager, therefore inheriting the permissions of the books. This will be part of the next release.

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#910