Unexpected behaviour with shelf create permissions #2203

New Issue

Closed

opened 2026-02-05 03:18:29 +03:00 by OVERLORD · 4 comments

OVERLORD commented 2026-02-05 03:18:29 +03:00

Owner

Copy Link

Originally created by @maggie44 on GitHub (Apr 20, 2021).

With the custom permissions indicated in the attached image set on a shelf, I expected the behaviour to be:

Users can View + Users can Create new books + Users cannot update the shelf details + Users cannot delete the shelf

Instead, the Create permission does not appear to have any affect unless Update is also ticked. This in turn means I cannot let people contribute books to my shelf, without also allowing them to edit my Shelf details.

BookStack v21.04

Originally created by @maggie44 on GitHub (Apr 20, 2021). With the custom permissions indicated in the attached image set on a shelf, I expected the behaviour to be: Users can View + Users can Create new books + Users cannot update the shelf details + Users cannot delete the shelf Instead, the Create permission does not appear to have any affect unless Update is also ticked. This in turn means I cannot let people contribute books to my shelf, without also allowing them to edit my Shelf details. <img width="888" alt="Screenshot 2021-04-19 at 14 02 50" src="https://user-images.githubusercontent.com/64841595/115303924-1dbb4a80-a119-11eb-90ae-9bb7efc094dd.png"> BookStack v21.04

OVERLORD added the 🐛 Bug label 2026-02-05 03:18:29 +03:00

OVERLORD closed this issue 2026-02-05 03:18:33 +03:00

OVERLORD commented 2026-02-05 03:18:41 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Jun 2, 2021):

Thanks for raising @maggie0002.

Yeah, The create permissions are currently redundant, likely originally copied from the permission options of books.

This in turn means I cannot let people contribute books to my shelf, without also allowing them to edit my Shelf details.

Is this just an example of a flow that may be broken from the current permission behaviour? Or is this an ability that you actually desire for your usage? If you desired this permission to allow the adding/removing of books I think we'd want to rename "Create" to "Curate" or "Manage Assigned Content". That would also need some more complex changes in functionality since the behaviour is not set-up for separate editing and curation.

@ssddanbrown commented on GitHub (Jun 2, 2021): Thanks for raising @maggie0002. Yeah, The create permissions are currently redundant, likely originally copied from the permission options of books. > This in turn means I cannot let people contribute books to my shelf, without also allowing them to edit my Shelf details. Is this just an example of a flow that may be broken from the current permission behaviour? Or is this an ability that you actually desire for your usage? If you desired this permission to allow the adding/removing of books I think we'd want to rename "Create" to "Curate" or "Manage Assigned Content". That would also need some more complex changes in functionality since the behaviour is not set-up for separate editing and curation.

OVERLORD commented 2026-02-05 03:18:46 +03:00

Author

Owner

Copy Link

@maggie44 commented on GitHub (Jun 2, 2021):

Thanks for raising @maggie0002.

Yeah, The create permissions are currently redundant, likely originally copied from the permission options of books.

This in turn means I cannot let people contribute books to my shelf, without also allowing them to edit my Shelf details.

Is this just an example of a flow that may be broken from the current permission behaviour? Or is this an ability that you actually desire for your usage? If you desired this permission to allow the adding/removing of books I think we'd want to rename "Create" to "Curate" or "Manage Assigned Content". That would also need some more complex changes in functionality since the behaviour is not set-up for separate editing and curation.

It is something I desired for my usage. Although it's not time sensitive. Perhaps best to flag this one for thought as part of the broader permissions review you note is scheduled in the readme?

@maggie44 commented on GitHub (Jun 2, 2021): > Thanks for raising @maggie0002. > > Yeah, The create permissions are currently redundant, likely originally copied from the permission options of books. > > > This in turn means I cannot let people contribute books to my shelf, without also allowing them to edit my Shelf details. > > Is this just an example of a flow that may be broken from the current permission behaviour? Or is this an ability that you actually desire for your usage? If you desired this permission to allow the adding/removing of books I think we'd want to rename "Create" to "Curate" or "Manage Assigned Content". That would also need some more complex changes in functionality since the behaviour is not set-up for separate editing and curation. It is something I desired for my usage. Although it's not time sensitive. Perhaps best to flag this one for thought as part of the broader permissions review you note is scheduled in the readme?

OVERLORD commented 2026-02-05 03:18:53 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Jun 20, 2023):

A note that #3073 and #4326 have had different expectations to this, in expecting to be able to create new books within this shelf (Which would raise other concerns due shelf->book relationship).

I think for now it'd be better to be pragmatic and go ahead to remove this option from view (and delete existing entries) so that it's not causing confusion. User abilities/actions that may have been desired from this can then be raised independently of this specific check-box/implementation.

@ssddanbrown commented on GitHub (Jun 20, 2023): A note that #3073 and #4326 have had different expectations to this, in expecting to be able to create new books within this shelf (Which would raise other concerns due shelf->book relationship). I think for now it'd be better to be pragmatic and go ahead to remove this option from view (and delete existing entries) so that it's not causing confusion. User abilities/actions that may have been desired from this can then be raised independently of this specific check-box/implementation.

OVERLORD commented 2026-02-05 03:18:57 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Jun 26, 2023):

Create permission now removed from view as per above, within 847a57a49a. Will be part of the next feature release.

@ssddanbrown commented on GitHub (Jun 26, 2023): Create permission now removed from view as per above, within 847a57a49aef525d2f7f429a30e58a34cf69d43f. Will be part of the next feature release.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

development

further_theme_development

l10n_development

release

llm_only

vectors

v25-11

docker_env

drawio_rendering

user_permissions

ldap_host_failover

svg_image

prosemirror

captcha_example

fix/video-export

v25.12.3

v25.12.2

v25.12.1

v25.12

v25.11.6

v25.11.5

v25.11.4

v24.11.4

v25.11.3

v25.11.2

v25.11.1

v25.11

v25.07.3

v25.07.2

v25.07.1

v25.07

v25.05.2

v25.05.1

v25.05

v25.02.5

v25.02.4

v25.02.3

v25.02.2

v25.02.1

v25.02

v24.12.1

v24.12

v24.10.3

v24.10.2

v24.10.1

v24.10

v24.05.4

v24.05.3

v24.05.2

v24.05.1

v24.05

v24.02.3

v24.02.2

v24.02.1

v24.02

v23.12.3

v23.12.2

v23.12.1

v23.12

v23.10.4

v23.10.3

v23.10.2

v23.10.1

v23.10

v23.08.3

v23.08.2

v23.08.1

v23.08

v23.06.2

v23.06.1

v23.06

v23.05.2

v23.05.1

v23.05

v23.02.3

v23.02.2

v23.02.1

v23.02

v23.01.1

v23.01

v22.11.1

v22.11

v22.10.2

v22.10.1

v22.10

v22.09.1

v22.09

v22.07.3

v22.07.2

v22.07.1

v22.07

v22.06.2

v22.06.1

v22.06

v22.04.2

v22.04.1

v22.04

v22.03.1

v22.03

v22.02.3

v22.02.2

v22.02.1

v22.02

v21.12.5

v21.12.4

v21.12.3

v21.12.2

v21.12.1

v21.12

v21.11.3

v21.11.2

v21.11.1

v21.11

v21.10.3

v21.10.2

v21.10.1

v21.10

v21.08.6

v21.08.5

v21.08.4

v21.08.3

v21.08.2

v21.08.1

v21.08

v21.05.4

v21.05.3

v21.05.2

v21.05.1

v21.05

v21.04.6

v21.04.5

v21.04.4

v21.04.3

v21.04.2

v21.04.1

v21.04

v0.31.8

v0.31.7

v0.31.6

v0.31.5

v0.31.4

v0.31.3

v0.31.2

v0.31.1

v0.31.0

v0.30.7

v0.30.6

v0.30.5

v0.30.4

v0.30.3

v0.30.2

v0.30.1

v0.30.0

v0.29.3

v0.29.2

v0.29.1

v0.29.0

v0.28.3

v0.28.2

v0.28.1

v0.28.0

v0.27.5

v0.27.4

v0.27.3

v0.27.2

v0.27.1

v0.27

v0.26.4

v0.26.3

v0.26.2

v0.26.1

v0.26.0

v0.25.5

v0.25.4

v0.25.3

v0.25.2

v0.25.1

v0.25.0

v0.24.3

v0.24.2

v0.24.1

v0.24.0

v0.23.2

v0.23.1

v0.23.0

v0.22.0

v0.21.0

v0.20.3

v0.20.2

v0.20.1

v0.20.0

v0.19.0

v0.18.5

v0.18.4

v0.18.3

v0.18.2

v0.18.1

v0.18.0

v0.17.4

v0.17.3

v0.17.2

v0.17.1

v0.17.0

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.13.1

v0.13.0

v0.12.2

v0.12.1

v0.12.0

v0.11.2

v0.11.1

v0.11.0

v0.10.0

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.2

v0.8.1

v0.8.0

v0.7.6

v0.7.5

v0.7.4

v0.7.3

0.7.2

v.0.7.1

v0.7.0

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.0

Labels

Clear labels

🎨 Design

📖 Docs Update

🐛 Bug

🐛 Bug

:cat2:🐈 Possible duplicate

💿 Database

☕ Open to discussion

💻 Front-End

🐕 Support

🚪 Authentication

🌍 Translations

🔌 API Task

🏭 Back-End

⛲ Upstream

🔨 Feature Request

🛠️ Enhancement

🛠️ Enhancement

🛠️ Enhancement

❤️ Happy feedback

🔒 Security

🔍 Pending Validation

💆 UX

📝 WYSIWYG Editor

🌔 Out of scope

🔩 API Request

:octocat: Admin/Meta

🖌️ View Customization

❓ Question

🚀 Priority

🛡️ Blocked

🚚 Export System

♿ A11y

🔧 Maintenance

> Markdown Editor

pull-request

Mirrored from GitHub Pull Request

No Label 🐛 Bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#2203