Removal of books from a shelf can remove more books than intended

[someplace53]

Describe the Bug

If a user removes the a book from a shelf, where he/she cannot see all books, the books which are not seen will be removed, if the shelf is saved.

Steps to Reproduce

there might be bit to many permissions, but this works:

1. create a role role_a with following permissions: 'manage permissions on own books, chapter & pages'; Shelfs: View (own, all), Edit (own, all); Books: Create, View (own), Edit (own, all), Delete (own)
2. create a user_a, who is part of role_a
3. create a user_b, without roles
4. create a shelf "test_shelf"
5. create 2 books ("book_a" and "book_b") and put them into "test_shelf"
6. change the ownership of book_b to user_b
7. login as user_a
8. go to test_shelf (only one book should be visible) and click edit
9. remove book_a from the shelf and save
10. verify with another account (admin?) that the shelf is empty

If needed I can provide a db dump for this scenario (~60kb)

Expected Behaviour

If I remove a book from a shelf, I would expect that only that book will be removed, not other books I am not aware of, too.

Screenshots or Additional Context

No response

Browser Details

No response

Exact BookStack Version

v24.12.1, v25.5.02

[Pheasey]

I'm unable to replicate this issue on v25.05.2 or development branch.

[someplace53]

I improved the description on how to reproduce the bug and I retested it with a fresh container stack, which I can also provide.

[ssddanbrown]

Hi @someplace53, thanks for reporting.

I can confirm the issue, and have addressed this along with testing coverage via 13a79b3.
These changes will be part of the next BookStack patch or feature release.