Guest only accepts custom permissions from role Public #999

New Issue

Closed

opened 2026-02-04 23:21:24 +03:00 by OVERLORD · 2 comments

OVERLORD commented 2026-02-04 23:21:24 +03:00

Owner

Copy Link

Originally created by @Bolthier on GitHub (Jan 19, 2019).

Describe the bug
Guest user only accepts custom permissions from the role Public. Any other role permission is ignored. The default permissions however work if given from another role than Public.

Steps To Reproduce

1. Go to roles and create another role "BookA", add this role to the user Guest
2. Create a book "BookA" and configure custom permissions for role BookA to view and none for role Public
3. Open a private tab with the book
4. See no book

Expected behavior
Guest user should inherit custom permissions from other roles than Public.

Your Configuration (please complete the following information):

• Exact BookStack Version: BookStack v0.25.0
• PHP Version: 7.2.10
• Hosting Method: Apache2

Additional context
I use custom permissions for all of my books. For every book I use a different role with the same name as the book. Only this role can create or edit. If I want users to edit a book, I just add them to the role and I'm done with it. This way I can also easily overview any given edit permissions of a user.

This works pretty flawless except for the Guest user, which I want to give edit access to some books but without loosing track where the role Public has permission to edit. This can get icky with an expanding library.

Originally created by @Bolthier on GitHub (Jan 19, 2019). **Describe the bug** Guest user only accepts custom permissions from the role Public. Any other role permission is ignored. The default permissions however work if given from another role than Public. **Steps To Reproduce** 1. Go to roles and create another role "BookA", add this role to the user Guest 2. Create a book "BookA" and configure custom permissions for role BookA to view and none for role Public 3. Open a private tab with the book 4. See no book **Expected behavior** Guest user should inherit custom permissions from other roles than Public. **Your Configuration (please complete the following information):** - Exact BookStack Version: BookStack v0.25.0 - PHP Version: 7.2.10 - Hosting Method: Apache2 **Additional context** I use custom permissions for all of my books. For every book I use a different role with the same name as the book. Only this role can create or edit. If I want users to edit a book, I just add them to the role and I'm done with it. This way I can also easily overview any given edit permissions of a user. This works pretty flawless except for the Guest user, which I want to give edit access to some books but without loosing track where the role Public has permission to edit. This can get icky with an expanding library.

OVERLORD added the 🐛 Bug📖 Docs Update🏭 Back-End labels 2026-02-04 23:21:24 +03:00

OVERLORD closed this issue 2026-02-04 23:21:26 +03:00

OVERLORD commented 2026-02-04 23:21:35 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (May 17, 2022):

Sorry for the very late response, Just looking through old issues and came across this and decided to check.

Can confirm this is the case, Is due to this condition:
9490457d04/app/Auth/Permissions/PermissionService.php (L114)

Might be something we should address during permission system review so "breaking" changes will be wrapped up in one go.
Will be dangerous to just go ahead and update the logic, since this has likely been in place since the early days of the permission system. I'd count that as a breaking change as may expose content not previously thought as exposed.

To do this safely I'd suggest we, on change of this logic:

• Drop existing secondary (Non-public) roles from the guest user via database migration.
  • This will remove potentially used system permissions and hence be a breaking change still.
    • These could be easily re-applied under the caution of the considerations after upgrade.
  • This would safely disconnect any entity-permissions which may become active after logic change.

@ssddanbrown commented on GitHub (May 17, 2022): Sorry for the very late response, Just looking through old issues and came across this and decided to check. Can confirm this is the case, Is due to this condition: https://github.com/BookStackApp/BookStack/blob/9490457d044b51fbe330998ce37dcfe255038f55/app/Auth/Permissions/PermissionService.php#L114 Might be something we should address during permission system review so "breaking" changes will be wrapped up in one go. Will be dangerous to just go ahead and update the logic, since this has likely been in place since the early days of the permission system. I'd count that as a breaking change as may expose content not previously thought as exposed. To do this safely I'd suggest we, on change of this logic: - Drop existing secondary (Non-public) roles from the guest user via database migration. - This will remove potentially used system permissions and hence be a breaking change still. - These could be easily re-applied under the caution of the considerations after upgrade. - This would safely disconnect any entity-permissions which may become active after logic change.

OVERLORD commented 2026-02-04 23:21:39 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Jun 10, 2023):

Apologies in the extra year of delay for this, I has missed this during permission system changes.
I've now applied the relevant changes in 777027bc48.
This will be part of the next feature release.

As I planned above, additional assigned guest user roles will be detached upon upgrade for safety.
These could have still applied some active permissions, so this will be a potential breaking change of access state, but should be easy for admins to re-assign after update where needed. Will have a breaking change advisory to advise of this for the feature release.

Thanks @Bolthier for raising.

Docs Updates

• - Upgrade notice to advise of changes and drop of additional guest user roles.

@ssddanbrown commented on GitHub (Jun 10, 2023): Apologies in the extra year of delay for this, I has missed this during permission system changes. I've now applied the relevant changes in 777027bc48d628f1283b0a734ffabe5dbabebc36. This will be part of the next feature release. As I planned above, additional assigned guest user roles will be detached upon upgrade for safety. These could have still applied some active permissions, so this will be a potential breaking change of access state, but should be easy for admins to re-assign after update where needed. Will have a breaking change advisory to advise of this for the feature release. Thanks @Bolthier for raising. ### Docs Updates - [x] - Upgrade notice to advise of changes and drop of additional guest user roles.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

development

l10n_development

further_theme_development

release

llm_only

vectors

v25-11

docker_env

drawio_rendering

user_permissions

ldap_host_failover

svg_image

prosemirror

captcha_example

fix/video-export

v25.12.3

v25.12.2

v25.12.1

v25.12

v25.11.6

v25.11.5

v25.11.4

v24.11.4

v25.11.3

v25.11.2

v25.11.1

v25.11

v25.07.3

v25.07.2

v25.07.1

v25.07

v25.05.2

v25.05.1

v25.05

v25.02.5

v25.02.4

v25.02.3

v25.02.2

v25.02.1

v25.02

v24.12.1

v24.12

v24.10.3

v24.10.2

v24.10.1

v24.10

v24.05.4

v24.05.3

v24.05.2

v24.05.1

v24.05

v24.02.3

v24.02.2

v24.02.1

v24.02

v23.12.3

v23.12.2

v23.12.1

v23.12

v23.10.4

v23.10.3

v23.10.2

v23.10.1

v23.10

v23.08.3

v23.08.2

v23.08.1

v23.08

v23.06.2

v23.06.1

v23.06

v23.05.2

v23.05.1

v23.05

v23.02.3

v23.02.2

v23.02.1

v23.02

v23.01.1

v23.01

v22.11.1

v22.11

v22.10.2

v22.10.1

v22.10

v22.09.1

v22.09

v22.07.3

v22.07.2

v22.07.1

v22.07

v22.06.2

v22.06.1

v22.06

v22.04.2

v22.04.1

v22.04

v22.03.1

v22.03

v22.02.3

v22.02.2

v22.02.1

v22.02

v21.12.5

v21.12.4

v21.12.3

v21.12.2

v21.12.1

v21.12

v21.11.3

v21.11.2

v21.11.1

v21.11

v21.10.3

v21.10.2

v21.10.1

v21.10

v21.08.6

v21.08.5

v21.08.4

v21.08.3

v21.08.2

v21.08.1

v21.08

v21.05.4

v21.05.3

v21.05.2

v21.05.1

v21.05

v21.04.6

v21.04.5

v21.04.4

v21.04.3

v21.04.2

v21.04.1

v21.04

v0.31.8

v0.31.7

v0.31.6

v0.31.5

v0.31.4

v0.31.3

v0.31.2

v0.31.1

v0.31.0

v0.30.7

v0.30.6

v0.30.5

v0.30.4

v0.30.3

v0.30.2

v0.30.1

v0.30.0

v0.29.3

v0.29.2

v0.29.1

v0.29.0

v0.28.3

v0.28.2

v0.28.1

v0.28.0

v0.27.5

v0.27.4

v0.27.3

v0.27.2

v0.27.1

v0.27

v0.26.4

v0.26.3

v0.26.2

v0.26.1

v0.26.0

v0.25.5

v0.25.4

v0.25.3

v0.25.2

v0.25.1

v0.25.0

v0.24.3

v0.24.2

v0.24.1

v0.24.0

v0.23.2

v0.23.1

v0.23.0

v0.22.0

v0.21.0

v0.20.3

v0.20.2

v0.20.1

v0.20.0

v0.19.0

v0.18.5

v0.18.4

v0.18.3

v0.18.2

v0.18.1

v0.18.0

v0.17.4

v0.17.3

v0.17.2

v0.17.1

v0.17.0

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.13.1

v0.13.0

v0.12.2

v0.12.1

v0.12.0

v0.11.2

v0.11.1

v0.11.0

v0.10.0

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.2

v0.8.1

v0.8.0

v0.7.6

v0.7.5

v0.7.4

v0.7.3

0.7.2

v.0.7.1

v0.7.0

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.0

Labels

Clear labels

🎨 Design

📖 Docs Update

🐛 Bug

🐛 Bug

:cat2:🐈 Possible duplicate

💿 Database

☕ Open to discussion

💻 Front-End

🐕 Support

🚪 Authentication

🌍 Translations

🔌 API Task

🏭 Back-End

⛲ Upstream

🔨 Feature Request

🛠️ Enhancement

🛠️ Enhancement

🛠️ Enhancement

❤️ Happy feedback

🔒 Security

🔍 Pending Validation

💆 UX

📝 WYSIWYG Editor

🌔 Out of scope

🔩 API Request

:octocat: Admin/Meta

🖌️ View Customization

❓ Question

🚀 Priority

🛡️ Blocked

🚚 Export System

♿ A11y

🔧 Maintenance

> Markdown Editor

No Label 📖 Docs Update 🐛 Bug 🏭 Back-End

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#999