• Welcome to the Chevereto User Community!

    Here, users from all over the world come together to learn, share, and collaborate on everything related to Chevereto. It's a place to exchange ideas, ask questions, and help improve the software.

    Please keep in mind:

    • This community is user-driven. Always be polite and respectful to others.
    • Support development by purchasing a Chevereto license, which also gives you priority support.
    • Go further by joining the Community Subscription for even faster response times and to help sustain this space
  • Chevereto Support CLST

    Support response

    Support checklist

    • Got a Something went wrong message? Read this guide and provide the actual error. Do not skip this.
    • Confirm that the server meets the System Requirements
    • Check for any available Hotfix - your issue could be already reported/fixed
    • Read documentation - It will be required to Debug and understand Errors for a faster support response

Album privacy set to "Private (anyone with the link)" is publicly listed in profile

lovedigit

lovedigit

👽 Chevereto Freak
▶ Reproduction steps
  1. Create an album
  2. Set privacy of album to "Private (Anyone with link)
  3. Go to profile > Album of that user in incognito mode
  4. Album is listed publicly for everyone
😢 Unexpected result

Album should only be visible to original users, and should be hidden from public listings when set to private

📃 Error log message

None
 
Thanks for reporting, not only "anyone with link" is failing, all the album privacy is broken.

This is the patched code, at app/lib/classes/class.listing.php

PHP: 
        // Privacy layer
        if (
            !($this->requester['is_admin'] ?? false)
            && in_array($this->type, ['images', 'albums', 'users'])
            && (
                (!isset($this->owner) || !isset($this->requester)) || $this->owner !== $this->requester['id']
            )
        ) {
            if (empty($this->where)) {
                $this->where = 'WHERE ';
            } else {
                $this->where .= ' AND ';
            }
            $nsfw_off = $this->requester ? !$this->requester['show_nsfw_listings'] : !getSetting('show_nsfw_in_listings');
            switch ($this->type) {
                case 'images':
                    if ($nsfw_off) {
                        $nsfw_off_clause = $tables['images'] . '.image_nsfw = 0';
                        if ($this->requester) {
                            $this->where .= '(' . $nsfw_off_clause .  ' OR (' .  $tables['images'] . '.image_nsfw = 1 AND ' .  $tables['images'] . '.image_user_id = ' . $this->requester['id'] . ')) AND ';
                        } else {
                            $this->where .= $nsfw_off_clause . ' AND ';
                        }
                    }
                    break;
                case 'users':
                    $this->where .= $tables['users'] . '.user_is_private = 0';
                    break;
            }
            if ($this->type !== 'users') {
                if (getSetting('website_privacy_mode') == 'public' || $this->privacy == 'private_but_link' || getSetting('website_content_privacy_mode') == 'default') {
                    $this->where .= '(' . $tables['albums'] . '.album_privacy NOT IN';
                    $privacy_modes = ['private', 'private_but_link', 'password', 'custom'];
                    if (in_array($this->privacy, $privacy_modes)) {
                        unset($privacy_modes[array_search($this->privacy, $privacy_modes)]);
                    }
                    $this->where .= " (" . "'" . implode("','", $privacy_modes) . "'" . ") ";
                    $this->where .=  "OR " . $tables['albums'] . '.album_privacy IS NULL';
                    if ($this->requester) {
                        $this->where .= ' OR ' . $tables['albums'] . '.album_user_id =' . $this->requester['id'];
                    }
                    $this->where .= ')';
                } else {
                    $injected_requester = !$this->requester['id'] ? 0 : $this->requester['id'];
                    $this->where .= '(' . $tables['albums'] . '.album_user_id = ' . $injected_requester;
                    $this->where .= $this->type == 'albums' ? ')' : (' OR ' . $tables['images'] . '.image_user_id = ' . $injected_requester . ')');
                }
            }
        }

This has been already patched in the demo, give it a try.
 
I will apply this code myself to see if it also patches my NSFW issue, since it even listing all NSFW images.

I can confirm this code also fixes my issue, Thank You @Rodolfo for the quick fix.
 
Last edited:
You must log in or register to reply here.
Back
Top