Albums: Refactor permission check in internal/api/albums.go

lastzero · lastzero · commit 5e4357c02d46 · 2025-02-22T14:49:58.000+01:00
Signed-off-by: Michael Mayer &lt;michael@photoprism.app&gt;
diff --git a/internal/api/albums.go b/internal/api/albums.go
@@ -70,7 +70,7 @@ func GetAlbum(router *gin.RouterGroup) {
 		}
 
 		// Other restricted users can only access their own or shared content.
-		if album.CreatedBy != s.UserUID && s.User().HasSharedAccessOnly(acl.ResourceAlbums) {
+		if s.User().HasSharedAccessOnly(acl.ResourceAlbums) && album.CreatedBy != s.UserUID && !s.HasShare(uid) {
 			AbortForbidden(c)
 			return
 		}

Original file line number	Diff line number	Diff line change
`@@ -70,7 +70,7 @@ func GetAlbum(router *gin.RouterGroup) {`
`70`	`70`	`}`
`71`	`71`
`72`	`72`	`// Other restricted users can only access their own or shared content.`
`73`		`- if album.CreatedBy != s.UserUID && s.User().HasSharedAccessOnly(acl.ResourceAlbums) {`
	`73`	`+ if s.User().HasSharedAccessOnly(acl.ResourceAlbums) && album.CreatedBy != s.UserUID && !s.HasShare(uid) {`
`74`	`74`	`AbortForbidden(c)`
`75`	`75`	`return`
`76`	`76`	`}`