From ae0d48ac83e1e15bfb117904cd0fecd73232145a Mon Sep 17 00:00:00 2001
From: jubnl <jgunther021@gmail.com>
Date: Sat, 4 Apr 2026 00:14:11 +0200
Subject: [PATCH] fix(immich): check all trips when verifying shared photo
 access

canAccessUserPhoto was using .get() which only returned the first matching
trip, causing access to be incorrectly denied when a photo was shared across
multiple trips and the requester was a member of a non-first trip.
---
 server/src/services/immichService.ts | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/server/src/services/immichService.ts b/server/src/services/immichService.ts
index aceb8c0..0429086 100644
--- a/server/src/services/immichService.ts
+++ b/server/src/services/immichService.ts
@@ -236,12 +236,12 @@ export function togglePhotoSharing(tripId: string, userId: number, assetId: stri
  * the same trip that contains the photo.
  */
 export function canAccessUserPhoto(requestingUserId: number, ownerUserId: number, assetId: string): boolean {
-  const row = db.prepare(`
+  const rows = db.prepare(`
     SELECT tp.trip_id FROM trip_photos tp
     WHERE tp.immich_asset_id = ? AND tp.user_id = ? AND tp.shared = 1
-  `).get(assetId, ownerUserId) as { trip_id: number } | undefined;
-  if (!row) return false;
-  return !!canAccessTrip(String(row.trip_id), requestingUserId);
+  `).all(assetId, ownerUserId) as { trip_id: number }[];
+  if (rows.length === 0) return false;
+  return rows.some(row => !!canAccessTrip(String(row.trip_id), requestingUserId));
 }
 
 export async function getAssetInfo(