Access Permission disappear on book after using the API

[matthias4217]

Describe the Bug

To edit pages on Bookstack, some people in our team use the web interface, while others store their content on git and use a Python tool to upload it to Bookstack. In the latter case, this has caused some permission issues, with permissions on the book disappearing (but not on the pages or chapters). The joint_permissions table is then empty for the targeted books. Manually creating permissions in this table, or using php artisan bookstack:regenerate-permissions fixes the issue. This has happened three times yet, the first time on January 23rd. It had never happened before we’ve used 23.12. However we are increasingly using Bookstack and the issue could have been present before.

It seems similar to https://github.com/BookStackApp/BookStack/issues/4791, but on the book, and not on the page.

Steps to Reproduce

I am not yet sure how the bug is caused exactly. What I can say is that it has always happened while using the API.

Expected Behaviour

The book should remain accessible.

Screenshots or Additional Context

No response

Browser Details

No response

Exact BookStack Version

v23.12

[ssddanbrown]

Hi @matthias4217, Could you confirm specifically what API endpoints are being used, and the order they're used in? Or (if public) link to the tool and advise which methods/actions of the tool are being used?

Just want to gain an idea of exactly what endpoints are used.

[matthias4217]

We have developed two tools around Bookstack. Both are Python apps, in private repositories.

• Bookstack Carpenter manages user permissions and enforcing an architecture on Bookstack (creating some books depending on some external condition for instance). It uses get, put and post from requests.
• Gitplo uploads contents from a git repository to a book on Bookstack. It uses the Session object from requests.

The error has been detected using Gitplo on the first call to the Bookstack API, a GET on the books endpoint. I suppose the issue began before that. The three impacted books are edited using Gitplo, and only two of them are managed by Bookstack Carpenter, so I assume it’s a call from Gitplo that is responsible for the issue. These books are notably not modified through the web interface.

Gitplo uses these API endpoints :

• Attachments : GET, LIST, DELETE, CREATE
• Books : GET, LIST
• Chapters : GET, LIST, DELETE, CREATE, UPDATE
• Image-gallery : GET, LIST, DELETE, CREATE
• Page : GET, LIST, DELETE, CREATE, UPDATE

Notably, it doesn’t modify books nor does it use the Content-permissions endpoint, and apart for three times where this error has happened (on two Bookstack instances in total), our worflow works fine.

[ssddanbrown]

Thanks for the extra info @matthias4217. Can you detail how you're running BookStack? (hosting method, OS, webserver).

[matthias4217]

We run Bookstack on Openshift, and we build our Docker images ourselves (with php:8.1-fpm-alpine and nginx:1.25-alpine). We have slightly modified the code to show resource ids on pages (using this merge request : https://github.com/BookStackApp/BookStack/pull/4314/files) and tot display the book parent shelves (from this issue : https://github.com/BookStackApp/BookStack/issues/4547#issuecomment-1726420230).

[ssddanbrown]

Report from a user on discord of similar, running on Ubuntu 18.04 server, with MariaDB 10.1.48 database, Apache2, & PHP8.1-CGI. Reference