BookStack
BookStack copied to clipboard
Permission for Viewing Revisions
Describe the feature you'd like
I would like to have the possibility to remove the ability for anyone in the world to view the revisions of a page. Put another way, I would like for revision viewing to be a specific permission, rather than tied to the blanket ability to view a page at all.
Describe the benefits this would bring to existing BookStack users
Sometimes mistakes are made to previous revisions or directions are given that may prove dangerous necessitating the updating of the pages to correct the mistake or remove the dangerous information.
While I can remove revisions now, I must do it by hand or scripting with PHP artisan and I don't necessarily want to do a blanket removal of revisions. While I want my admins and documentation people to be able to see and use revisions, I can't see a good reason for the general public to see the old revisions.
Can the goal of this request already be achieved via other means?
Unknown. Hiding the links would be sufficient too, though permissions are preferred. The old -and now unavailable- behavior of requiring edit to view revisions was also sufficient.
Have you searched for an existing open/closed issue?
- [X] I have searched for existing issues and none cover my fundemental request
How long have you been using BookStack?
6 months to 1 year
Additional context
No response
One simple solution for you would be to change the code yourself. You just need to edit app/Entities/Controllers/PageRevisionController.php
You have to call: $this->checkPermission('settings-manage');
in every method (index, show, changes). By doing this only admin-user can see the revision viewing.
Just to mention: I would do this as part of the visual theme system and not by editing the core files, because these files are getting replaced on an update.
The visual theme system API is deemed stable, so would be documented/announced if changed (and it's something I try to ensure remains stable), but the contents of views are not. You could add permission checks into views to hide content on permission check, but there'd be a lot to add.
Using the logical theme system you could do something like this to add prevention without altering app files:
<?php
use BookStack\Exceptions\NotifyException;
use BookStack\Facades\Theme;
use BookStack\Theming\ThemeEvents;
use Illuminate\Http\Request;
Theme::listen(ThemeEvents::WEB_MIDDLEWARE_BEFORE, function (Request $request) {
if (str_contains($request->url(), '/revisions') && !userCan('settings-manage')) {
throw new NotifyException("Access to revisions not allowed", '/', 403);
}
});
(Hacks like the above are unsupported and unofficial functionality)
I'm re-opening since I've now had a good few requests for this so would be something to potentially include as a permission in control.
Additional request and context in #4544.
Any updates on this? Would like to hide revisions in public. Thank you for your work.