Users without image permissions can still upload book covers

[joshuaipwork]

Describe the Bug

A user with Create Book permissions can upload any image as a book cover, despite not having Create Image permissions. This seems to be the only context in which a user without Create Image permissions can create an image.

Steps to Reproduce

1. Create a user role which permits creating books but does not permit uploading images.
2. Assign the user role to a test user.
3. Try to create a book and upload a cover as the test user.

Expected Behaviour

The user should not be able to upload an image, even as a book cover. They are uploading these cover images to my server, after all, and these images will get shown to other users!

Screenshots or Additional Context

No response

Browser Details

No response

Exact BookStack Version

v25.11.1

[ssddanbrown]

Yeah, the image permissions are really just about images in page content, and don't apply to cover images, site icons/logos or user avatars. The ability to set book/shelf cover images are just based upon the ability to edit those items.

I can see why some would have this expectation though. Solution for this one might be just to add some hint text to explain the scope of those image role permissions in the UI.