Users can edit and rename shelves

[Salla205]

Describe the Bug

The Asset Permissions set under Settings → Roles do not automatically apply to added shelves. A shelf will only become visible to users and its functions will be activated once one of the options "View," "Create," "Update," or "Delete" is selected. The specific permissions assigned to a shelf override the general role settings and can render them ineffective.

Here are a few images for better understanding.

Background on Company Usage
We plan to introduce BookStack company-wide and provide each department with its own shelf. Additionally, the IT department will provide shelves containing central documentation.

Department Shelves: Visible only to the respective department and admins – not to other departments.
Permissions in Department Shelves: Users can create books but cannot edit the shelf itself. Within their own department, users are allowed to delete books, chapters, and pages.
IT Department Shelves: Documentation with view-only permissions must not be copied.

Additionally, only shelves should be displayed, and users should not be able to create books via "Book", as these are only visible to themselves.

Steps to Reproduce

Go to Settings → Roles and create a new role.
Assign Asset Permissions as shown in the image above. No System Permissions are selected.

Now, add this role to a shelf under Shelves → Add Role, but do not check "View," "Create," "Update," or "Delete." The shelf will not be visible to the user.

• The shelf only becomes visible when "View" is selected.
• The "Create" option has no effect.
• "Update" allows users to create books but also edit shelves—which should not be possible.
• "Delete" enables users to delete shelves, even though this permission is not explicitly selected.

Expected Behaviour

Either the "Create" permission must be enabled to allow book creation, or the specific shelf permissions should not override the Asset Permissions.

Additionally, there should be a button to hide Books in the top navigation bar and display only Shelves, since users should not create their own books. This option should only be available to Admins or IT users.

Screenshots or Additional Context

No response

Browser Details

No response

Exact BookStack Version

BookStack v24.10

[ssddanbrown]

Hi @Salla205,
I'm not really sure I see a bug here.

Quoting the reproduction steps:

The shelf only becomes visible when "View" is selected.

I don't have full visibility of the permissions at play via the screenshots provided, but this is expected. Users will need some form of view permission to see items. Lack of view via overrides will take precedence.

The "Create" option has no effect.

Yes, they are only used for copying as mentioned in the permissions page, denoted by the *.

"Update" allows users to create books but also edit shelves—which should not be possible.

Update affects the ability to update the shelf in any way. The details and contents (assigned books) are both considered part of the shelf.

"Delete" enables users to delete shelves, even though this permission is not explicitly selected.

I don't know what is meant by that tbh.

---

Shelves are only really meant to be a high-level-categorization option around books. Books do not belong to them, but are on them. Where permissions are managed, keeping things at book level is generally much simpler and easier in regards to permission management.

[Salla205]

I try to explain it.

My idea was to create a shelf for each department in our company. On this shelf, employees of the respective department can create, update, and delete books, and the same applies to chapters and pages in the books. However, the shelf itself should not be editable. For each department, I will create a role that includes only "Asset Permissions" (see first screenshot) and no "System Permissions." I will then assign this role to the respective shelf.

The additional permissions "View," "Create *," "Update," and "Delete" on the shelf confused me. Without making a selection, nothing happens. However, when one of these additional permissions is selected, the "Asset Permissions" of the role are ignored.

I then tried it at the book level. The shelf level represented a higher-level area, and each department was assigned at the book level. Again, I added the role (only "Asset Permissions" and no "System Permissions"). At this level, chapters and pages could be created, but not deleted. It was only after I added the "Delete" permission at the book level that chapters and pages could be deleted – but also the book itself.

[ssddanbrown]

Yeah, that's all expected to be honest.
I appreciate the permission can be a little course for some scenarios though, but we do have to strike a balance between maintenance/supported complexity and flexibility.

[steven-loscheider]

I am curious about this because we would want to use Bookstack in the same manner. Meaning we have different departments that we want to assign to a specific shelf (or book idk) so they can only(!) see and work in their own area. Meaning Finance for example cannot view and edit Books/shelves etc from the IT department. How do I do this?

[ssddanbrown]

I'm going to go ahead and close off this issue and I don't see much to action here.

---

@steven-loscheider The approach I'd advise would be:

• Keep at the book level by default.
• On the book, assign view/create/edit to the desired roles.
• At the role-level permissions, provide delete-own permissions so users can delete their own content where needed.