X-Git-Url: http://source.bookstackapp.com/bookstack/blobdiff_plain/b493becadfd0acf177decb796b460f92ca56f4e1..refs/pull/2511/head:/app/Auth/Permissions/PermissionService.php

diff --git a/app/Auth/Permissions/PermissionService.php b/app/Auth/Permissions/PermissionService.php
index bd4066936..89c8a5fbb 100644
--- a/app/Auth/Permissions/PermissionService.php
+++ b/app/Auth/Permissions/PermissionService.php
@@ -526,12 +526,15 @@ class PermissionService
         $action = end($explodedPermission);
         $this->currentAction = $action;
 
+        $nonJointPermissions = ['restrictions', 'image', 'attachment', 'comment'];
+
         // Handle non entity specific jointPermissions
-        if (!($ownable instanceof Entity)) {
+        if (in_array($explodedPermission[0], $nonJointPermissions)) {
             $allPermission = $this->currentUser() && $this->currentUser()->can($permission . '-all');
             $ownPermission = $this->currentUser() && $this->currentUser()->can($permission . '-own');
             $this->currentAction = 'view';
-            $isOwner = $this->currentUser() && $this->currentUser()->id === $ownable->created_by;
+            $ownerField = ($ownable instanceof Entity) ? 'owned_by' : 'created_by';
+            $isOwner = $this->currentUser() && $this->currentUser()->id === $ownable->$ownerField;
             return ($allPermission || ($isOwner && $ownPermission));
         }