Trek_CN/server
jubnl d765a80ea3
fix(immich): proxy shared photos using owner's Immich credentials
Trip members viewing another member's shared photo were getting a 404
because the proxy endpoints always used the requesting user's Immich
credentials instead of the photo owner's. The ?userId= query param the
client already sent was silently ignored.

- Add canAccessUserPhoto() to verify the asset is shared and the
  requesting user is a trip member before allowing cross-user proxying
- Pass optional ownerUserId through proxyThumbnail, proxyOriginal, and
  getAssetInfo so credentials are fetched for the correct user
- Enforce shared=1 check so unshared photos remain inaccessible
2026-04-03 22:32:41 +02:00
..
public fix: always fetch fresh photo URLs for map markers instead of using stored HTTP URLs 2026-04-01 19:48:58 +02:00
scripts feat: add encryption key migration script and document it in README 2026-04-01 09:35:32 +02:00
src fix(immich): proxy shared photos using owner's Immich credentials 2026-04-03 22:32:41 +02:00
tests test: update cookie test to match sameSite lax change 2026-04-03 14:42:48 +02:00
.env.example feat: add MCP_RATE_LIMIT env variable to control MCP request rate 2026-04-03 15:44:33 +02:00
package-lock.json Add comprehensive backend test suite (#339) 2026-04-03 13:17:53 +02:00
package.json Add comprehensive backend test suite (#339) 2026-04-03 13:17:53 +02:00
reset-admin.js Stabilize core: better-sqlite3, versioned migrations, graceful shutdown 2026-03-22 17:52:24 +01:00
tsconfig.json some fixes 2026-03-30 06:59:24 +02:00
vitest.config.ts Add comprehensive backend test suite (#339) 2026-04-03 13:17:53 +02:00