With default settings, low-level users will not have permission to create new shelf with public mode. However, due to incorrect checking, the function does not work as intended.
In line 248 (https://github.com/janeczku/calibre-web/blob/01090169a795342626412955cd0aefea11ad4a2a/cps/shelf.py#L248), server will check if user without “Public shelf” permission add “is_public=on” in create request and return error. However, in line 251, server only check the existence of “is_public” but not check the value again. Attacker can pass a value different “on” to pass this check.
Low-level user without “Public Shelf” permission can create public shelf. This can leads to malicious content being shared publicly.