Users can edit and rename shelves #5458
Comments
|
Hi @Salla205, Quoting the reproduction steps:
I don't have full visibility of the permissions at play via the screenshots provided, but this is expected. Users will need some form of view permission to see items. Lack of view via overrides will take precedence.
Yes, they are only used for copying as mentioned in the permissions page, denoted by the
Update affects the ability to update the shelf in any way. The details and contents (assigned books) are both considered part of the shelf.
I don't know what is meant by that tbh. Shelves are only really meant to be a high-level-categorization option around books. Books do not belong to them, but are on them. Where permissions are managed, keeping things at book level is generally much simpler and easier in regards to permission management. |
|
I try to explain it. My idea was to create a shelf for each department in our company. On this shelf, employees of the respective department can create, update, and delete books, and the same applies to chapters and pages in the books. However, the shelf itself should not be editable. For each department, I will create a role that includes only "Asset Permissions" (see first screenshot) and no "System Permissions." I will then assign this role to the respective shelf. The additional permissions "View," "Create *," "Update," and "Delete" on the shelf confused me. Without making a selection, nothing happens. However, when one of these additional permissions is selected, the "Asset Permissions" of the role are ignored. I then tried it at the book level. The shelf level represented a higher-level area, and each department was assigned at the book level. Again, I added the role (only "Asset Permissions" and no "System Permissions"). At this level, chapters and pages could be created, but not deleted. It was only after I added the "Delete" permission at the book level that chapters and pages could be deleted – but also the book itself. |
Describe the Bug
The Asset Permissions set under Settings → Roles do not automatically apply to added shelves. A shelf will only become visible to users and its functions will be activated once one of the options "View," "Create," "Update," or "Delete" is selected. The specific permissions assigned to a shelf override the general role settings and can render them ineffective.
Here are a few images for better understanding.
Background on Company Usage
We plan to introduce BookStack company-wide and provide each department with its own shelf. Additionally, the IT department will provide shelves containing central documentation.
Department Shelves: Visible only to the respective department and admins – not to other departments.
Permissions in Department Shelves: Users can create books but cannot edit the shelf itself. Within their own department, users are allowed to delete books, chapters, and pages.
IT Department Shelves: Documentation with view-only permissions must not be copied.
Additionally, only shelves should be displayed, and users should not be able to create books via "Book", as these are only visible to themselves.
Steps to Reproduce
Go to Settings → Roles and create a new role.
Assign Asset Permissions as shown in the image above. No System Permissions are selected.
Now, add this role to a shelf under Shelves → Add Role, but do not check "View," "Create," "Update," or "Delete." The shelf will not be visible to the user.
Expected Behaviour
Either the "Create" permission must be enabled to allow book creation, or the specific shelf permissions should not override the Asset Permissions.
Additionally, there should be a button to hide Books in the top navigation bar and display only Shelves, since users should not create their own books. This option should only be available to Admins or IT users.
Screenshots or Additional Context
No response
Browser Details
No response
Exact BookStack Version
BookStack v24.10
The text was updated successfully, but these errors were encountered: