Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Custom permissions do not affect book cover images #1128

Closed
Bolthier opened this issue Nov 16, 2018 · 2 comments

Comments

2 participants
@Bolthier
Copy link

commented Nov 16, 2018

Describe the bug
Book cover image viewable and even deletable by user without any custom permissions (view, edit or delete) for a book.

Steps To Reproduce
Steps to reproduce the behavior:

  1. Create 2 books (Book A and Book B) and 2 users (Alice and Bob)
  2. Change custom permission: Book A so only Alice can view, edit and delete Book A
  3. Give Bob permission to edit Book B (through custom or default)
  4. Upload book cover image with Alice to Book A and save
  5. Login with Bob > Edit Book B > Go to Cover Image Selection
    Result: Bob can view Alice's cover image for Book A but but not the book itself. With default permission 'delete' Bob can even delete Alice's Book cover completely.

Expected behavior
Book cover images uploaded to not viewable books shouldn't be viewable in the image assets selection for other book covers. The same behaviour as for images in hidden pages.

Your Configuration (please complete the following information):

  • Exact BookStack Version (Found in settings): BookStack v0.24.2
  • PHP Version: 7.2
  • Hosting Method (Nginx/Apache/Docker): Apache2
@ssddanbrown

This comment has been minimized.

Copy link
Member

commented Nov 24, 2018

Yeah, I think the image selection for books and shelves needs to be re-worked to not go through the manager, Instead directly select images.

@ssddanbrown

This comment has been minimized.

Copy link
Member

commented May 4, 2019

Thanks for reporting @Bolthier.

As from the implementation of #1410, Cover images are now directly selected instead of using the image manager, therefore inheriting the permissions of the books. This will be part of the next release.

@ssddanbrown ssddanbrown closed this May 4, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.