Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Move can be used to delete items #1200

Closed
Bolthier opened this issue Dec 28, 2018 · 3 comments
Closed

Move can be used to delete items #1200

Bolthier opened this issue Dec 28, 2018 · 3 comments
Assignees
@ssddanbrown
Labels
🏭 Back-End 🔒 Security
Milestone
v0.25.0

Comments

@Bolthier
Copy link

Bolthier commented Dec 28, 2018
edited
Loading

Describe the bug
Move is essentially a delete option in combination with custom permissions. Right now the permission Edit gives the option to update, copy or move a page or chapter.

Steps To Reproduce
Steps to reproduce the behavior:

  1. Create two books (Book 1 & Book 2), Role A, a user in Role A and a page in Book 1
  2. Set custom permissions for Book 1 for Role A to Create, View & Edit
  3. Set custom permissions for Book 2 for Group A to Create, View, Edit & Delete
  4. Move Page 1 from Book 1 to Book 2
  5. Click Delete and the page is permanently deleted as the custom permissions of Book 1 don't matter for Book 2

Expected behavior
No option to move pages without the permission Delete from the source location as it deletes the item from the original location. Likewise as it needs the Create and not Edit permission on target location.

Copy doesnt't remove the original file from the original location so that's no problem.

Could be less of an issue with the recycle bin, but is still an isolated issue of its own.
#1017

Your Configuration:

  • Exact BookStack Version (Found in settings): BookStack v0.24.2
  • PHP Version: 7.2
  • Hosting Method (Nginx/Apache/Docker): Apache2
@ssddanbrown ssddanbrown added this to the BookStack Beta v0.25.0 milestone Dec 28, 2018
@ssddanbrown
Copy link
Member

@Bolthier Interesting, good find, Thanks for raising.
Based on the above, I agree, The user should require delete permissions on the page when it's at it's original locations. So the required permissions will be as follows:

  • Update permission in origin location.
  • Delete permission in origin location.
  • Create permission in target location.

Have marked to be in the next release.

@ssddanbrown ssddanbrown self-assigned this Jan 5, 2019
@sexy-trousers
Copy link

Although I agree with what's said here (in particular about the recycle bin negating some of this), you should be able to Move elements within a Book.

@Bolthier was pointing out how you can potentially circumvent security to delete elements, but if the move was contained within the book the user had access to, the Delete permission shouldn't be required.

TJ

@Bolthier
Copy link
Author

Bolthier commented Nov 7, 2019

@sexy-trousers As it's possible to assign Delete permissions on a chapter by chapter base I think it would still be a potential security issue.

I think the same issue exists for the Sort Book function.

@Arpafaucon Arpafaucon mentioned this issue Oct 26, 2022
Open
@ssddanbrown ssddanbrown mentioned this issue Nov 17, 2022
Closed
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ssddanbrown ssddanbrown

Labels
🏭 Back-End 🔒 Security
Milestone
v0.25.0
Development

No branches or pull requests
3 participants
@ssddanbrown @Bolthier @sexy-trousers