User Groups and Permissions

[cpressland]

It'd be nice to be able to define groups of users and then define on a Page or Chapter level if they're able to view said Page/Chapter.

For example, I have two groups, "Infrastructure" & "Developers"
I have a page called "Super Secret Information"

I may want "Infrastructure" to be able to view and edit "Super Secret Information" but "Developers" won't even be aware the page exists.

However, if a member of the "Developers" group is an Admin they should always be able to see everything. This should only apply to Viewers and Editors.

[tuudik]

Yeah, currently ACL is missing. Would love it! 👍

[kristjankullerkann]

👍

[armouredking]

Piggybacking - It'd be nice for it to also have the ability to have multiuser controls. The way Bookstack is made, it'd be great for say a fan story site. However, atm there is only the three levels Viewer / Editor / Admin. Viewers can't create books, and Editors can write to any book. It'd be nice if there was a fourth level, between Viewers and Editor ( Author? ) where they can create books and edit their own books but nobody else's.

[ssddanbrown]

The current permissions system is currently database driven so adding an interface to allow custom roles is definitely possible. The tricky part will be checking permissions every time an entity is shown but I'm sure I can figure it out. I've marked this up as my next major feature to work on.

@armouredking In implementing the base issue this should be covered as you'll be able to create custom roles. I'll ensure to have one of the assignable permissions to be something like 'Can edit own content' so you'll be able to create an 'Author' user as that's a great idea.

[ssddanbrown]

As of the latest release all the above is now possible. Details on the new roles & restriction systems can be found here: https://www.bookstackapp.com/blog/beta-release-v0-7-6/

Due to large changes there still may be some holes in this system. If any problems are found please open a new issue.

[tuudik]

@ssddanbrown 👏 Nice job!

Does it work also with LDAP? :)

[ssddanbrown]

@tuudik No 😞

I've just opened #75 specifically for this.

Since I'm not too familiar with LDAP, what would be the ideal way of mapping LDAP groups to roles? Would assigning group DN's on each role be sufficient?

[tuudik]

Maybe, if just adding possibilty to add custom filter to each role admin creates would work? @litewhatever what do you think?

[kristjankullerkann]

If it isn't already possible then easiest solution would probably be to just syncronize LDAP users to Bookstack and then assign those to Bookstack roles.
There should probably be ability to define a ldap query filter to narrow down which users are being syncronized.

[kristjankullerkann]

A more difficult approach would be to define roles within ldap and then syncronize LDAP users and roles to Bookstack and assign permissions to those (Confluence is using this approach if I'm not mistaking).
This is a bit compliated as there are various ways how groups/roles are being built inside ldap.
You could use posixGroup objectClass which defines members as memberUid attribute (they map to user uid) or groupofNames objectClass which define members as member attribute (they map to user full DN).