Move can be used to delete items #972

New Issue

OVERLORD · 2026-02-04T23:13:46+03:00

OVERLORD commented

2026-02-04 23:13:46 +03:00

Originally created by @Bolthier on GitHub (Dec 28, 2018).

Originally assigned to: @ssddanbrown on GitHub.

Describe the bug
Move is essentially a delete option in combination with custom permissions. Right now the permission Edit gives the option to update, copy or move a page or chapter.

Steps To Reproduce
Steps to reproduce the behavior:

Create two books (Book 1 & Book 2), Role A, a user in Role A and a page in Book 1
Set custom permissions for Book 1 for Role A to Create, View & Edit
Set custom permissions for Book 2 for Group A to Create, View, Edit & Delete
Move Page 1 from Book 1 to Book 2
Click Delete and the page is permanently deleted as the custom permissions of Book 1 don't matter for Book 2

Expected behavior
No option to move pages without the permission Delete from the source location as it deletes the item from the original location. Likewise as it needs the Create and not Edit permission on target location.

Copy doesnt't remove the original file from the original location so that's no problem.

Could be less of an issue with the recycle bin, but is still an isolated issue of its own.
https://github.com/BookStackApp/BookStack/issues/1017

Your Configuration:

Exact BookStack Version (Found in settings): BookStack v0.24.2
PHP Version: 7.2
Hosting Method (Nginx/Apache/Docker): Apache2

Originally created by @Bolthier on GitHub (Dec 28, 2018). Originally assigned to: @ssddanbrown on GitHub. **Describe the bug** Move is essentially a delete option in combination with custom permissions. Right now the permission Edit gives the option to update, copy or move a page or chapter. **Steps To Reproduce** Steps to reproduce the behavior: 1. Create two books (Book 1 & Book 2), Role A, a user in Role A and a page in Book 1 2. Set custom permissions for Book 1 for Role A to Create, View & Edit 3. Set custom permissions for Book 2 for Group A to Create, View, Edit & Delete 4. Move Page 1 from Book 1 to Book 2 5. Click Delete and the page is permanently deleted as the custom permissions of Book 1 don't matter for Book 2 **Expected behavior** No option to move pages without the permission Delete from the source location as it deletes the item from the original location. Likewise as it needs the Create and not Edit permission on target location. Copy doesnt't remove the original file from the original location so that's no problem. Could be less of an issue with the recycle bin, but is still an isolated issue of its own. https://github.com/BookStackApp/BookStack/issues/1017 **Your Configuration:** - Exact BookStack Version (Found in settings): BookStack v0.24.2 - PHP Version: 7.2 - Hosting Method (Nginx/Apache/Docker): Apache2

OVERLORD added the 🔒 Security 🏭 Back-End labels 2026-02-04 23:13:46 +03:00

OVERLORD closed this issue

2026-02-04 23:13:50 +03:00

OVERLORD commented

2026-02-04 23:13:55 +03:00

@ssddanbrown commented on GitHub (Dec 28, 2018):

@Bolthier Interesting, good find, Thanks for raising.
Based on the above, I agree, The user should require delete permissions on the page when it's at it's original locations. So the required permissions will be as follows:

Update permission in origin location.
Delete permission in origin location.
Create permission in target location.

Have marked to be in the next release.

@ssddanbrown commented on GitHub (Dec 28, 2018): @Bolthier Interesting, good find, Thanks for raising. Based on the above, I agree, The user should require delete permissions on the page when it's at it's original locations. So the required permissions will be as follows: * Update permission in origin location. * Delete permission in origin location. * Create permission in target location. Have marked to be in the next release.

OVERLORD commented

2026-02-04 23:13:58 +03:00

@sexy-trousers commented on GitHub (Nov 7, 2019):

Although I agree with what's said here (in particular about the recycle bin negating some of this), you should be able to Move elements within a Book.

@Bolthier was pointing out how you can potentially circumvent security to delete elements, but if the move was contained within the book the user had access to, the Delete permission shouldn't be required.

TJ

@sexy-trousers commented on GitHub (Nov 7, 2019): Although I agree with what's said here (in particular about the recycle bin negating some of this), you should be able to Move elements within a Book. @Bolthier was pointing out how you can potentially circumvent security to delete elements, but if the move was contained within the book the user had access to, the Delete permission shouldn't be required. TJ

OVERLORD commented

2026-02-04 23:14:02 +03:00

@Bolthier commented on GitHub (Nov 7, 2019):

@sexy-trousers As it's possible to assign Delete permissions on a chapter by chapter base I think it would still be a potential security issue.

I think the same issue exists for the Sort Book function.

@Bolthier commented on GitHub (Nov 7, 2019): @sexy-trousers As it's possible to assign Delete permissions on a chapter by chapter base I think it would still be a potential security issue. I think the same issue exists for the Sort Book function.

Sign in to join this conversation.

Branches Tags

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#972