jubnl d765a80ea3 fix(immich): proxy shared photos using owner's Immich credentials ...

Trip members viewing another member's shared photo were getting a 404
because the proxy endpoints always used the requesting user's Immich
credentials instead of the photo owner's. The ?userId= query param the
client already sent was silently ignored.

- Add canAccessUserPhoto() to verify the asset is shared and the
  requesting user is a trip member before allowing cross-user proxying
- Pass optional ownerUserId through proxyThumbnail, proxyOriginal, and
  getAssetInfo so credentials are fetched for the correct user
- Enforce shared=1 check so unshared photos remain inaccessible

2026-04-03 22:32:41 +02:00

..

public

fix: always fetch fresh photo URLs for map markers instead of using stored HTTP URLs

2026-04-01 19:48:58 +02:00

scripts

feat: add encryption key migration script and document it in README

2026-04-01 09:35:32 +02:00

src

fix(immich): proxy shared photos using owner's Immich credentials

2026-04-03 22:32:41 +02:00

tests

test: update cookie test to match sameSite lax change

2026-04-03 14:42:48 +02:00

.env.example

feat: add MCP_RATE_LIMIT env variable to control MCP request rate

2026-04-03 15:44:33 +02:00

package-lock.json

Add comprehensive backend test suite (#339)

2026-04-03 13:17:53 +02:00

package.json

Add comprehensive backend test suite (#339)

2026-04-03 13:17:53 +02:00

reset-admin.js

Stabilize core: better-sqlite3, versioned migrations, graceful shutdown

2026-03-22 17:52:24 +01:00

tsconfig.json

some fixes

2026-03-30 06:59:24 +02:00

vitest.config.ts

Add comprehensive backend test suite (#339)

2026-04-03 13:17:53 +02:00