Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Pictures permission with copy paste not set #1287

Closed
JtheBAB opened this Issue Feb 19, 2019 · 3 comments

Comments

2 participants
@JtheBAB
Copy link

JtheBAB commented Feb 19, 2019

Describe the bug
When a user add directly with copy & paste in the editor a picture, the picture is visible for all users.

Steps To Reproduce
Steps to reproduce the behavior:

  1. Create two role that allows only to edit / delete own images and add user A to role A and user B to role B
  2. login with user A
  3. Create or edit a page
  4. Copy a picture with copy and paste
  5. save the page
  6. login with user B
  7. Create or edit a page
  8. Insert a picture
  9. You will see the picture from User A

Expected behavior
User B shouldn't see the picture of User A.
When the User A uses the picture upload function, then User B can't see the picture that User A uploaded.

Your Configuration (please complete the following information):

  • Exact BookStack Version (Found in settings): v0.25.1
  • PHP Version: 7.3
  • Hosting Method (Nginx/Apache/Docker): Apache
@ssddanbrown

This comment has been minimized.

Copy link
Member

ssddanbrown commented Feb 19, 2019

Hi @JtheBAB,
Thank you for clearly defining this issue.

So image permissions are a little complex as visibility will depend on configuration, context and permissions.

Configuration

By default in BookStack, for performance reasons, images are put into public space where auth is not required. You can alternatively configure this to store such images in a local folder that's not within public space (local_secure option). Details of this can be found in the docs here.

Context & Permissions

As mentioned in the roles screen when selecting image permissions, view permissions are controlled by the assets they are uploaded to. This visibility primarily is in reference to the list shown in the image manager.

General access visibility, when an image is used in a page or copied across pages, is not checked since this level of permission checking would require a fair bit of extra complexity when page content is shown.

Perhaps we need to update the wording used in the roles view to clarify this.

@JtheBAB

This comment has been minimized.

Copy link
Author

JtheBAB commented Feb 20, 2019

Hi @ssddanbrown

As i wrote, the permission system for images is working fine. But only when you upload the pictures with "Insert a Image" and then upload the image with "Drop images or click here to upload".

When you just copy the image and paste it directly into your text, the permission system is not working.

Edit:
To be clear. I use the local_secure option. What i mean with the picture can be seen is when you open "Insert a Image" you can see the pictures from other users that are copy pasted but only this images.

@ssddanbrown

This comment has been minimized.

Copy link
Member

ssddanbrown commented Feb 20, 2019

@JtheBAB Ah, Thanks for clarifying. Sorry for misunderstanding.

Have marked as a priority for the next release. Good find!

@ssddanbrown ssddanbrown self-assigned this Mar 8, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.