Removal of books from a shelf can remove more books than intended #5372

New Issue

Closed

opened 2026-02-05 10:00:42 +03:00 by OVERLORD · 3 comments

OVERLORD commented 2026-02-05 10:00:42 +03:00

Owner

Copy Link

Originally created by @someplace53 on GitHub (Jul 22, 2025).

Describe the Bug

If a user removes the a book from a shelf, where he/she cannot see all books, the books which are not seen will be removed, if the shelf is saved.

Steps to Reproduce

there might be bit to many permissions, but this works:

1. create a role role_a with following permissions: 'manage permissions on own books, chapter & pages'; Shelfs: View (own, all), Edit (own, all); Books: Create, View (own), Edit (own, all), Delete (own)
2. create a user_a, who is part of role_a
3. create a user_b, without roles
4. create a shelf "test_shelf"
5. create 2 books ("book_a" and "book_b") and put them into "test_shelf"
6. change the ownership of book_b to user_b
7. login as user_a
8. go to test_shelf (only one book should be visible) and click edit
9. remove book_a from the shelf and save
10. verify with another account (admin?) that the shelf is empty

If needed I can provide a db dump for this scenario (~60kb)

Expected Behaviour

If I remove a book from a shelf, I would expect that only that book will be removed, not other books I am not aware of, too.

Screenshots or Additional Context

No response

Browser Details

No response

Exact BookStack Version

v24.12.1, v25.5.02

Originally created by @someplace53 on GitHub (Jul 22, 2025). ### Describe the Bug If a user removes the a book from a shelf, where he/she cannot see all books, the books which are not seen will be removed, if the shelf is saved. ### Steps to Reproduce there might be bit to many permissions, but this works: 1. create a role role_a with following permissions: 'manage permissions on own books, chapter & pages'; Shelfs: View (own, all), Edit (own, all); Books: Create, View (own), Edit (own, all), Delete (own) 2. create a user_a, who is part of role_a 3. create a user_b, without roles 4. create a shelf "test_shelf" 5. create 2 books ("book_a" and "book_b") and put them into "test_shelf" 6. change the ownership of book_b to user_b 7. login as user_a 8. go to test_shelf (only one book should be visible) and click edit 9. remove book_a from the shelf and save 10. verify with another account (admin?) that the shelf is empty If needed I can provide a db dump for this scenario (~60kb) ### Expected Behaviour If I remove a book from a shelf, I would expect that only that book will be removed, not other books I am not aware of, too. ### Screenshots or Additional Context _No response_ ### Browser Details _No response_ ### Exact BookStack Version v24.12.1, v25.5.02

OVERLORD added the 🐛 Bug label 2026-02-05 10:00:42 +03:00

OVERLORD closed this issue 2026-02-05 10:00:43 +03:00

OVERLORD commented 2026-02-05 10:00:44 +03:00

Author

Owner

Copy Link

@Pheasey commented on GitHub (Jul 25, 2025):

I'm unable to replicate this issue on v25.05.2 or development branch.

@Pheasey commented on GitHub (Jul 25, 2025): I'm unable to replicate this issue on [v25.05.2](https://github.com/BookStackApp/BookStack/releases) or development branch.

OVERLORD commented 2026-02-05 10:00:47 +03:00

Author

Owner

Copy Link

@someplace53 commented on GitHub (Jul 30, 2025):

I improved the description on how to reproduce the bug and I retested it with a fresh container stack, which I can also provide.

@someplace53 commented on GitHub (Jul 30, 2025): I improved the description on how to reproduce the bug and I retested it with a fresh container stack, which I can also provide.

OVERLORD commented 2026-02-05 10:00:48 +03:00

Author

Owner

Copy Link

@ssddanbrown commented on GitHub (Aug 25, 2025):

Hi @someplace53, thanks for reporting.

I can confirm the issue, and have addressed this along with testing coverage via 13a79b3f96.
These changes will be part of the next BookStack patch or feature release.

@ssddanbrown commented on GitHub (Aug 25, 2025): Hi @someplace53, thanks for reporting. I can confirm the issue, and have addressed this along with testing coverage via 13a79b3f96c7525d6c4807c5ec83f9d96885f74e. These changes will be part of the next BookStack patch or feature release.

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

development

further_theme_development

l10n_development

release

llm_only

vectors

v25-11

docker_env

drawio_rendering

user_permissions

ldap_host_failover

svg_image

prosemirror

captcha_example

fix/video-export

v25.12.3

v25.12.2

v25.12.1

v25.12

v25.11.6

v25.11.5

v25.11.4

v24.11.4

v25.11.3

v25.11.2

v25.11.1

v25.11

v25.07.3

v25.07.2

v25.07.1

v25.07

v25.05.2

v25.05.1

v25.05

v25.02.5

v25.02.4

v25.02.3

v25.02.2

v25.02.1

v25.02

v24.12.1

v24.12

v24.10.3

v24.10.2

v24.10.1

v24.10

v24.05.4

v24.05.3

v24.05.2

v24.05.1

v24.05

v24.02.3

v24.02.2

v24.02.1

v24.02

v23.12.3

v23.12.2

v23.12.1

v23.12

v23.10.4

v23.10.3

v23.10.2

v23.10.1

v23.10

v23.08.3

v23.08.2

v23.08.1

v23.08

v23.06.2

v23.06.1

v23.06

v23.05.2

v23.05.1

v23.05

v23.02.3

v23.02.2

v23.02.1

v23.02

v23.01.1

v23.01

v22.11.1

v22.11

v22.10.2

v22.10.1

v22.10

v22.09.1

v22.09

v22.07.3

v22.07.2

v22.07.1

v22.07

v22.06.2

v22.06.1

v22.06

v22.04.2

v22.04.1

v22.04

v22.03.1

v22.03

v22.02.3

v22.02.2

v22.02.1

v22.02

v21.12.5

v21.12.4

v21.12.3

v21.12.2

v21.12.1

v21.12

v21.11.3

v21.11.2

v21.11.1

v21.11

v21.10.3

v21.10.2

v21.10.1

v21.10

v21.08.6

v21.08.5

v21.08.4

v21.08.3

v21.08.2

v21.08.1

v21.08

v21.05.4

v21.05.3

v21.05.2

v21.05.1

v21.05

v21.04.6

v21.04.5

v21.04.4

v21.04.3

v21.04.2

v21.04.1

v21.04

v0.31.8

v0.31.7

v0.31.6

v0.31.5

v0.31.4

v0.31.3

v0.31.2

v0.31.1

v0.31.0

v0.30.7

v0.30.6

v0.30.5

v0.30.4

v0.30.3

v0.30.2

v0.30.1

v0.30.0

v0.29.3

v0.29.2

v0.29.1

v0.29.0

v0.28.3

v0.28.2

v0.28.1

v0.28.0

v0.27.5

v0.27.4

v0.27.3

v0.27.2

v0.27.1

v0.27

v0.26.4

v0.26.3

v0.26.2

v0.26.1

v0.26.0

v0.25.5

v0.25.4

v0.25.3

v0.25.2

v0.25.1

v0.25.0

v0.24.3

v0.24.2

v0.24.1

v0.24.0

v0.23.2

v0.23.1

v0.23.0

v0.22.0

v0.21.0

v0.20.3

v0.20.2

v0.20.1

v0.20.0

v0.19.0

v0.18.5

v0.18.4

v0.18.3

v0.18.2

v0.18.1

v0.18.0

v0.17.4

v0.17.3

v0.17.2

v0.17.1

v0.17.0

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.15.3

v0.15.2

v0.15.1

v0.15.0

v0.14.3

v0.14.2

v0.14.1

v0.14.0

v0.13.1

v0.13.0

v0.12.2

v0.12.1

v0.12.0

v0.11.2

v0.11.1

v0.11.0

v0.10.0

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.2

v0.8.1

v0.8.0

v0.7.6

v0.7.5

v0.7.4

v0.7.3

0.7.2

v.0.7.1

v0.7.0

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.0

Labels

Clear labels

🎨 Design

📖 Docs Update

🐛 Bug

🐛 Bug

:cat2:🐈 Possible duplicate

💿 Database

☕ Open to discussion

💻 Front-End

🐕 Support

🚪 Authentication

🌍 Translations

🔌 API Task

🏭 Back-End

⛲ Upstream

🔨 Feature Request

🛠️ Enhancement

🛠️ Enhancement

🛠️ Enhancement

❤️ Happy feedback

🔒 Security

🔍 Pending Validation

💆 UX

📝 WYSIWYG Editor

🌔 Out of scope

🔩 API Request

:octocat: Admin/Meta

🖌️ View Customization

❓ Question

🚀 Priority

🛡️ Blocked

🚚 Export System

♿ A11y

🔧 Maintenance

> Markdown Editor

pull-request

Mirrored from GitHub Pull Request

No Label 🐛 Bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

OVERLORD

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/BookStack#5372