BookStack icon indicating copy to clipboard operation
BookStack copied to clipboard

Published 20 hours ago verified publisher icon BookStackApp

[Feature Request] User can view only the specified shelves/books

Open fernandozap2 opened this issue 5 years ago • 13 comments

Describe the feature you'd like Manage what shelf or book an specific user account could access (all other would be invisible or read-only).

Describe the benefits this feature would bring to BookStack users This allow share the bookstack system with users that could see or interact with just designated books.

fernandozap2 avatar Jun 01 '20 18:06 fernandozap2

This is exactly what I need. I see this on 2 levels:

  • Making books visible to users (or user groups) or not, so with the role viewer
  • Making books editable to users (or user groups) or not, so with the role editor This is an important feature in case you would want to use BookStack in larger communities.

steelandt avatar Jun 21 '20 08:06 steelandt

You can currently create a role for a user, remove all view/edit/delete permissions for that user in their role settings, then assign permissions for that role for a particular shelf/book/chapter/page. Book/Chapter permissions will cascade down automatically.

If there a particular thing in the current permission flow that prevent you from doing what you need?

ssddanbrown avatar Jun 21 '20 13:06 ssddanbrown

You can currently create a role for a user, remove all view/edit/delete permissions for that user in their role settings, then assign permissions for that role for a particular shelf/book/chapter/page. Book/Chapter permissions will cascade down automatically.

If there a particular thing in the current permission flow that prevent you from doing what you need?

Tanks for replying! This can work, but now I wanna to allow access just to one chapter. I see it with the user that I give this permission and the book name doesn't appear. If I give him access to an chapter from another book, for him it looks like the same. Anyway this is hard way to configure these things, 'cause you can't get a great view about user's permissions. Making it easy to leak something. I suggest to keep all the permissions in one screen with a advanced permission changes, so you can list all books an users/group can access and then the options to view, create, update or delete for each book.

Just to let you know that Bookstack is a amazing tool! Me and my partners are loving it!

fernandozap2 avatar Jun 22 '20 18:06 fernandozap2

Book/Chapter permissions will cascade down automatically.

After giving "read" permissions to a shelf for viewers, it didn't cascade into the books inside, I had to give the permissions to the books inside the shelf. Did I miss something?

adocampo avatar May 15 '21 14:05 adocampo

@adocampo Shelf permissions don't cascade, Just books and chapters. There are UI & command-line options to copy shelf permissions down but it can't be done automatically/live.

ssddanbrown avatar May 15 '21 15:05 ssddanbrown

Oh, I understood wrong then, I expected to put the permissions on the shelf and propagate to all the books inside. Thank you for the tip, I need to pay attention to what is shown in the permissions settings on the shelf, as I didn't notice the "Copy Permissions to Books" section.

adocampo avatar May 17 '21 08:05 adocampo

You can currently create a role for a user, remove all view/edit/delete permissions for that user in their role settings, then assign permissions for that role for a particular shelf/book/chapter/page. Book/Chapter permissions will cascade down automatically.

While this certainly works, it's a bit cumbersome solution, especially when working with many projects/people. Currently when creating a new book, for which I want only specific group of people to have access I have to:

  • Create a book
  • Create a new user group
  • Add each person individually, through their user settings page, to the newly created group
  • Modify custom permissions for the newly created book

While this doesn't sound that complex on paper, this isn't very user-friendly when managing an instance with many users and groups. That's mostly because I have to navigate manually to each user setting to include them in a group. Then, when modifying the custom book permissions, I have to browse through the list of all groups, which also is not that clear.

If not allowing for adding people directly to the book permissions (besides the groups system), maybe adding an option to add people to group directly from group page would simplify this? I'll check if there's a request for this already, if not I'll create one.

Rumcajsev avatar Dec 01 '21 11:12 Rumcajsev

Current system is hell! It took me an hour and a half today to set all book, chapter and page permissions to custom only to limit access for a a temporary group that do an audit of parts of our system. The problem is that permissions cascade.:

  • I create a role with no permissions
  • I assign pages to this role
  • Then I noticed that the role wont see the page since access to the book/chapter is missing.
  • So I set view permission on book level
  • Now I had to set custom permissions on all pages the role should not see only to make one page in a book accessible

In short, the current permission system is not flexible enough for companies.

Edit: Is there a command to remove all custom permissions in the system? I really don't like to undo all of that manually after the review is over.

jwillmer avatar May 31 '22 18:05 jwillmer

In short, the current permission system is not flexible enough for companies.

For your company/use-case maybe. I'm aware there's room for improvement here, Reviewing the permission system is next on the roadmap.

Now I had to set custom permissions on all pages the role should not see only to make one page in a book accessible

This should not be true. You can make a page or chapter viewable without making the book visible. It will however affect discoverability since they won't find it via the book hierarchy but they can still access via another list (Such as recently updated) or a directly link, at which point they could add it to their favourites for easier future access.

Edit: Is there a command to remove all custom permissions in the system? I really don't like to undo all of that manually after the review is over.

No such command. Technically you could do this via the database combined with another command but I'm apprehensive to recommend this route as it's more error prone. On the search page there is a filter to identify items that have custom permissions applied which should help you gather a list of content to work from.

ssddanbrown avatar May 31 '22 19:05 ssddanbrown

Please give me the dB fix. I have rolling backups and they are tested ;-) And yes, the discoverabillity is the issue for me.

jwillmer avatar May 31 '22 21:05 jwillmer

@jwillmer I have not fully tested this, and still don't advise it, but this would be the database process:

truncate table entity_permissions;
update books set restricted=0 where restricted = 1;
update chapters set restricted=0 where restricted = 1;
update pages set restricted=0 where restricted = 1;
update bookshelves set restricted=0 where restricted = 1;

You'd then need to run the regenerate permissions command as detailed here:

https://www.bookstackapp.com/docs/admin/commands/#regenerate-access-permissions

ssddanbrown avatar Jun 01 '22 00:06 ssddanbrown

Awesome, I will revert back once the audit is over.

jwillmer avatar Jun 01 '22 11:06 jwillmer

Worked without any issues! Thanks again.

jwillmer avatar Jul 26 '22 13:07 jwillmer

I'm going to close this issue off since the core request is fairly covered by #1747 and some of the other UX options discussed have also been separately raised in various forms.

ssddanbrown avatar Feb 01 '23 11:02 ssddanbrown