Content created as Admin becomes invisible after role demotion to "own"-scoped role, joint_permissions.owner_id set to NULL after regenerate-permissions #6097

New issue

Open

opened 2026-04-13 15:36:46 +00:00 by bedeberger · 1 comment

bedeberger commented 2026-04-13 15:36:46 +00:00 (Migrated from github.com)

Copy link

Describe the Bug

When a user who was previously an Admin gets demoted to a non-admin role with "own"-scoped asset permissions (e.g. "View own books"), the content they created as Admin becomes invisible to them. Running php artisan bookstack:regenerate-permissions does not fix the issue.
Root cause: After regenerate-permissions, the joint_permissions table has owner_id = NULL for non-admin roles, even though entities.owned_by and entities.created_by are correctly set to the user's ID. BookStack's permission query grants access via owner_id = <user_id> — with NULL, access is denied despite the user being the owner.

Steps to Reproduce

1. User A has the Admin role and creates a book (e.g. entities.owned_by = 1, created_by = 1)
2. A new admin account is created
3. User A's Admin role is removed and replaced with a non-admin role (e.g. "Editor") with "View own" book permission
4. User A can no longer see their own book
5. Run php artisan bookstack:regenerate-permissions → does not fix the issue
6. Run php artisan cache:clear → does not fix the issue

Expected Behaviour

regenerate-permissions should populate joint_permissions.owner_id from entities.owned_by for all roles, including non-admin roles with "own"-scoped permissions.

Screenshots or Additional Context

Workaround
Creating a dedicated role with "View all" scope for the affected user restores visibility, but is not a clean solution for multi-user setups with strict "own"-scoped isolation.

Browser Details

No response

Exact BookStack Version

v26.03.3

### Describe the Bug When a user who was previously an Admin gets demoted to a non-admin role with "own"-scoped asset permissions (e.g. "View own books"), the content they created as Admin becomes invisible to them. Running php artisan bookstack:regenerate-permissions does not fix the issue. Root cause: After regenerate-permissions, the joint_permissions table has owner_id = NULL for non-admin roles, even though entities.owned_by and entities.created_by are correctly set to the user's ID. BookStack's permission query grants access via owner_id = <user_id> — with NULL, access is denied despite the user being the owner. ### Steps to Reproduce 1. User A has the Admin role and creates a book (e.g. entities.owned_by = 1, created_by = 1) 2. A new admin account is created 3. User A's Admin role is removed and replaced with a non-admin role (e.g. "Editor") with "View own" book permission 4. User A can no longer see their own book 5. Run php artisan bookstack:regenerate-permissions → does not fix the issue 6. Run php artisan cache:clear → does not fix the issue ### Expected Behaviour regenerate-permissions should populate joint_permissions.owner_id from entities.owned_by for all roles, including non-admin roles with "own"-scoped permissions. ### Screenshots or Additional Context Workaround Creating a dedicated role with "View all" scope for the affected user restores visibility, but is not a clean solution for multi-user setups with strict "own"-scoped isolation. ### Browser Details _No response_ ### Exact BookStack Version v26.03.3

ssddanbrown commented 2026-04-14 11:29:17 +00:00 (Migrated from github.com)

Copy link

Hi @bedeberger,
Could I just check, for the scenario in question, have any permission changes be made to the book itself?

• Any role permission overrides set on the book?
• What does the "Everyone Else" row show in the book permissions?

Hi @bedeberger, Could I just check, for the scenario in question, have any permission changes be made to the book itself? - Any role permission overrides set on the book? - What does the "Everyone Else" row show in the book permissions?

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

development

l10n_development

lexical_may_2026

release

v26-03

ci_fixing

codeberg-actions

sort_rule_text

llm_only

vectors

docker_env

drawio_rendering

user_permissions

ldap_host_failover

svg_image

prosemirror

captcha_example

fix/video-export

v26.03.4

v26.03.3

v26.03.2

v26.03.1

v26.03

v25.12.9

v25.12.8

v25.12.7

v25.12.6

v25.12.5

v25.12.4

v25.12.3

v25.12.2

v25.12.1

v25.12

v25.11.6

v25.11.5

v25.11.4

v24.11.4

v25.11.3

v25.11.2

v25.11.1

v25.11

v25.07.3

v25.07.2

v25.07.1

v25.07

v25.05.2

v25.05.1

v25.05

v25.02.5

v25.02.4

v25.02.3

v25.02.2

v25.02.1

v25.02

v24.12.1

v24.12

v24.10.3

v24.10.2

v24.10.1

v24.10

v24.05.4

v24.05.3

v24.05.2

v24.05.1

v24.05

v24.02.3

v24.02.2

v24.02.1

v24.02

v23.12.3

v23.12.2

v23.12.1

v23.12

v23.10.4

v23.10.3

v23.10.2

v23.10.1

v23.10

v23.08.3

v23.08.2

v23.08.1

v23.08

v23.06.2

v23.06.1

v23.06

v23.05.2

v23.05.1

v23.05

v23.02.3

v23.02.2

v23.02.1

v23.02

v23.01.1

v23.01

v22.11.1

v22.11

v22.10.2

v22.10.1

v22.10

v22.09.1

v22.09

v22.07.3

v22.07.2

v22.07.1

v22.07

v22.06.2

v22.06.1

v22.06

v22.04.2

v22.04.1

v22.04

v22.03.1

v22.03

v22.02.3

v22.02.2

v22.02.1

v22.02

v21.12.5

v21.12.4

v21.12.3

v21.12.2

v21.12.1

v21.12

v21.11.3

v21.11.2

v21.11.1

v21.11

v21.10.3

v21.10.2

v21.10.1

v21.10

v21.08.6

v21.08.5

v21.08.4

v21.08.3

v21.08.2

v21.08.1

v21.08

v21.05.4

v21.05.3

v21.05.2

v21.05.1

v21.05

v21.04.6

v21.04.5

v21.04.4

v21.04.3

v21.04.2

v21.04.1

v21.04

v0.31.8

v0.31.7

v0.31.6

v0.31.5

v0.31.4

v0.31.3

v0.31.2

v0.31.1

v0.31.0

v0.30.7

v0.30.6

v0.30.5

v0.30.4

v0.30.3

v0.30.2

v0.30.1

v0.30.0

v0.29.3

v0.29.2

v0.29.1

v0.29.0

v0.28.3

v0.28.2

v0.28.1

v0.28.0

v0.27.5

v0.27.4

v0.27.3

v0.27.2

v0.27.1

v0.27

v0.26.4

v0.26.3

v0.26.2

v0.26.1

v0.26.0

v0.25.5

v0.25.4

v0.25.3

v0.25.2

v0.25.1

v0.25.0

v0.24.3

v0.24.2

v0.24.1

v0.24.0

v0.23.2

v0.23.1

v0.23.0

v0.22.0

v0.21.0

v0.20.3

v0.20.2

v0.20.1

v0.20.0

v0.19.0

v0.18.5

v0.18.4

v0.18.3

v0.18.2

v0.18.1

v0.18.0

v0.17.4

v0.17.3

v0.17.2

v0.17.1

v0.17.0

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.13.1

v0.13.0

v0.12.2

v0.12.1

v0.12.0

v0.11.2

v0.11.1

v0.11.0

v0.10.0

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.2

v0.8.1

v0.8.0

v0.7.6

v0.7.5

v0.7.4

v0.7.3

0.7.2

v.0.7.1

v0.7.0

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.0

Labels

Clear labels   

Focus: A11y

Accessibility

  

Focus: Admin/Meta

  

Focus: Authentication

  

Focus: Back-End

  

Focus: Database

  

Focus: Design & UX

  

Focus: Editor - Markdown

  

Focus: Editor - WYSIWYG

  

Focus: Export System

  

Focus: Front-End

  

Focus: Translations

  

Focus: View Customization

  

Is: Docs Update

  

Is: Enhancement

  

Is: Priority

  

Is: Security

  

Is: Upstream

  

Status

Blocked

  

Status

Open to discussion

  

Status

Out of scope

  

Status

Pending Validation

  

Type

API Request

  

Type

Bug Report

  

Type

Feature Request

  

Type

Happy feedback

  

Type

Maintenance

  

Type

Question

  

Type

Support

No labels

Focus: A11y

Focus: Admin/Meta

Focus: Authentication

Focus: Back-End

Focus: Database

Focus: Design & UX

Focus: Editor - Markdown

Focus: Editor - WYSIWYG

Focus: Export System

Focus: Front-End

Focus: Translations

Focus: View Customization

Is: Docs Update

Is: Enhancement

Is: Priority

Is: Security

Is: Upstream

Status

Blocked

Status

Open to discussion

Status

Out of scope

Status

Pending Validation

Type

API Request

Type

Bug Report

Type

Feature Request

Type

Happy feedback

Type

Maintenance

Type

Question

Type

Support

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

bookstack/bookstack#6097

No description provided.