page preview leaks included content without permissions #952

Closed
opened 2026-02-04 23:09:01 +03:00 by OVERLORD · 1 comment
Owner

Originally created by @ezzra on GitHub (Dec 12, 2018).

Describe the bug
When there is included content at beginning of the page that should not be accessible by the User it wil still be shown in the page preview.

Steps To Reproduce
Steps to reproduce the behavior:

  1. Create page1 without reading permissions for user1 and write anything within there
  2. Get the content include code by double clicking
  3. Create page2 with reading permission for user1
  4. Include the content (for example with {{@3#bkmrk-example-of-a-text-inc}}) into the first lines
  5. login as user1

You should not be able to read page1, you should not see the content from page1 in page2, but you will see the content of page1 in the pagelist summary

Screenshots
screenshot_2018-12-12_14-49-50
screenshot_2018-12-12_14-49-32

More
I guess the source of the problem is very simple, when the preview is generated it does not check for the include permissions. This problem seems to be introduced with #442. By the way, one more reason for #1126 ;)

Originally created by @ezzra on GitHub (Dec 12, 2018). **Describe the bug** When there is included content at beginning of the page that should not be accessible by the User it wil still be shown in the page preview. **Steps To Reproduce** Steps to reproduce the behavior: 1. Create page1 **without** reading permissions for user1 and write anything within there 2. Get the content include code by double clicking 3. Create page2 **with** reading permission for user1 4. Include the content (for example with `{{@3#bkmrk-example-of-a-text-inc}}`) into the first lines 5. login as user1 You should not be able to read page1, you should not see the content from page1 in page2, but you will see the content of page1 in the pagelist summary **Screenshots** ![screenshot_2018-12-12_14-49-50](https://user-images.githubusercontent.com/37742522/49873887-43373b80-fe1d-11e8-90e9-7b8002300540.png) ![screenshot_2018-12-12_14-49-32](https://user-images.githubusercontent.com/37742522/49873888-43373b80-fe1d-11e8-8186-365d43fe9a27.png) **More** I guess the source of the problem is very simple, when the preview is generated it does not check for the include permissions. This problem seems to be introduced with #442. By the way, one more reason for #1126 ;)
OVERLORD added the 🐛 Bug📖 Docs Update🚀 Priority labels 2026-02-04 23:09:01 +03:00
Author
Owner

@ssddanbrown commented on GitHub (Jan 5, 2019):

Thanks for reporting @ezzra.

Now updated to exclude include tags when generating stored text content.
Will need to include a notice for the next update to advised re-saving existing content that may be sensitive.

@ssddanbrown commented on GitHub (Jan 5, 2019): Thanks for reporting @ezzra. Now updated to exclude include tags when generating stored text content. Will need to include a notice for the next update to advised re-saving existing content that may be sensitive.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/BookStack#952