New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Move can be used to delete items #1200

Closed
Bolthier opened this Issue Dec 28, 2018 · 1 comment

Comments

2 participants
@Bolthier
Copy link

Bolthier commented Dec 28, 2018

Describe the bug
Move is essentially a delete option in combination with custom permissions. Right now the permission Edit gives the option to update, copy or move a page or chapter.

Steps To Reproduce
Steps to reproduce the behavior:

  1. Create two books (Book 1 & Book 2), Role A, a user in Role A and a page in Book 1
  2. Set custom permissions for Book 1 for Role A to Create, View & Edit
  3. Set custom permissions for Book 2 for Group A to Create, View, Edit & Delete
  4. Move Page 1 from Book 1 to Book 2
  5. Click Delete and the page is permanently deleted as the custom permissions of Book 1 don't matter for Book 2

Expected behavior
No option to move pages without the permission Delete from the source location as it deletes the item from the original location. Likewise as it needs the Create and not Edit permission on target location.

Copy doesnt't remove the original file from the original location so that's no problem.

Could be less of an issue with the recycle bin, but is still an isolated issue of its own.
#1017

Your Configuration:

  • Exact BookStack Version (Found in settings): BookStack v0.24.2
  • PHP Version: 7.2
  • Hosting Method (Nginx/Apache/Docker): Apache2
@ssddanbrown

This comment has been minimized.

Copy link
Member

ssddanbrown commented Dec 28, 2018

@Bolthier Interesting, good find, Thanks for raising.
Based on the above, I agree, The user should require delete permissions on the page when it's at it's original locations. So the required permissions will be as follows:

  • Update permission in origin location.
  • Delete permission in origin location.
  • Create permission in target location.

Have marked to be in the next release.

@ssddanbrown ssddanbrown self-assigned this Jan 5, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment