Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Image delete button visible without permission #3697

Closed
Mailstorm-ctrl opened this issue Sep 5, 2022 · 1 comment
Closed

Image delete button visible without permission #3697

Mailstorm-ctrl opened this issue Sep 5, 2022 · 1 comment
Labels
🐛 Bug 🏭 Back-End
Milestone
v22.09

Comments

@Mailstorm-ctrl
Copy link

Describe the Bug

This might be in other places but this bug is specifically for images.

If a user is allowed to VIEW pictures but NOT DELETE them the user will still have access to the delete button in the image select menu.
image

If I click on the confirm button, I will get a bugged view of the image select screen that is only temporary.
image

The image doesn't delete (good) but the button still shouldn't be visible. Just a minor QoL thing.

Steps to Reproduce

  1. Create a role that can view images but not delete them.
  2. Have a book where that role can view/create/edit but not delete.
  3. Upload an image to a page is said book.
  4. Save page.
  5. Open page and try to delete the image from the image select menu.
  6. Observe.

Expected Behaviour

Delete button to be not visible or at least not-clickable.

Screenshots or Additional Context

No response

Browser Details

No response

Exact BookStack Version

v22.07.3

PHP Version

No response

Hosting Environment

Ubuntu 20.04 LTS in a LXC container.
ssddanbrown added a commit that referenced this issue Sep 5, 2022
@ssddanbrown
Added permission visiblity control to image-delete button
fbef0d0 
Includes test to cover.
For #3697
@ssddanbrown ssddanbrown added this to the Next Feature Release milestone Sep 5, 2022
@ssddanbrown
Copy link
Member

Thanks for reporting @Mailstorm-ctrl.
Can confirm that permission-based visibility of this button was not active.
Have added within commit fbef0d0, to be part of the next feature release.

@ssddanbrown ssddanbrown changed the title Viewing actions you don't have permission to do Image delete button visible without permission Sep 6, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
🐛 Bug 🏭 Back-End
Milestone
v22.09
Development

No branches or pull requests
2 participants
@ssddanbrown @Mailstorm-ctrl