Trip members viewing another member's shared photo were getting a 404 because the proxy endpoints always used the requesting user's Immich credentials instead of the photo owner's. The ?userId= query param the client already sent was silently ignored. - Add canAccessUserPhoto() to verify the asset is shared and the requesting user is a trip member before allowing cross-user proxying - Pass optional ownerUserId through proxyThumbnail, proxyOriginal, and getAssetInfo so credentials are fetched for the correct user - Enforce shared=1 check so unshared photos remain inaccessible |
||
|---|---|---|
| .. | ||
| public | ||
| scripts | ||
| src | ||
| tests | ||
| .env.example | ||
| package-lock.json | ||
| package.json | ||
| reset-admin.js | ||
| tsconfig.json | ||
| vitest.config.ts | ||