With default settings, low-level users will not have permission to read name of private shelf (shelf create by another user and not in public mode). However, due to incorrect HTML render, the application does not work as intended.
In line 380 (https://github.com/janeczku/calibre-web/blob/master/cps/shelf.py#L380), server will check view permission of user and query book for shelf. However, if user doesn’t have view permission, server continues to render HTML containing shelf.name instead of showing error messages and redirect. This leads to disclose name of private shelf.
Low-level user can read name of all private shelves.