New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Role Admin can be removed from user Admin #1124

Bolthier opened this Issue Nov 14, 2018 · 2 comments


3 participants
Copy link

Bolthier commented Nov 14, 2018

Describe the bug
While the role admin can not be restricted it is possible to remove the user Admin from this role.

Steps To Reproduce
Steps to reproduce the behavior:

  1. Go to Settings > Users > Admin
  2. Remove role Admin > add role Public > Save
  3. "You have no permission to view this site."

Expected behavior
Error Message "You can't remove the role Admin for this user." or "At least one user must inherit the role Admin." or a gray box before role Admin.
check box 2

Similar to the way the permissions of the role Admin cannot be altered it shouldn't be allowed to remove the role Admin from the user admin. It should only be possible to add other roles.

For better understanding the permanent permissions set for the role Admin should be grayed out too.
check box


Your Configuration (please complete the following information):

  • Exact BookStack Version (Found in settings): BookStack v0.24.2
  • PHP Version: 7.2
  • Hosting Method (Nginx/Apache/Docker): Apache2

Related but not sames issues:


This comment has been minimized.

Copy link

lommes commented Dec 5, 2018

@ssddanbrown How are you planning to implement this?

It is of course usefull to remove the Admin role from users and there might even be valid use cases where it is intended to remove the role from the currently authenticated user (especially together with ldap group sync). There still is php artisan bookstack:create-admin to fix this


This comment has been minimized.

Copy link

ssddanbrown commented Dec 5, 2018

@lommes I was thinking about just adding a check to see if the user is the only remaining admin user, then throw an error if so. So the current user can still remove the role from themselves if there's another admin in the system.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment