From 373569e16a08660c14c0752d2f65ced15b7d66e6 Mon Sep 17 00:00:00 2001 From: ildyria Date: Mon, 22 Jun 2026 12:51:44 +0200 Subject: [PATCH 1/2] Ensure that the user is able to see the photo they are setting as highlighted --- app/Http/Requests/Photo/SetPhotosHighlightedRequest.php | 2 +- app/Policies/PhotoPolicy.php | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/app/Http/Requests/Photo/SetPhotosHighlightedRequest.php b/app/Http/Requests/Photo/SetPhotosHighlightedRequest.php index 811409b08f3..fd30cdbbb3e 100644 --- a/app/Http/Requests/Photo/SetPhotosHighlightedRequest.php +++ b/app/Http/Requests/Photo/SetPhotosHighlightedRequest.php @@ -48,7 +48,7 @@ protected function processValidatedValues(array $values, array $files): void /** @var array $photos_ids */ $photos_ids = $values[RequestAttribute::PHOTO_IDS_ATTRIBUTE]; $this->photos = Photo::query() - ->with(['size_variants', 'albums']) + ->with(['size_variants', 'albums', 'albums.access_permissions']) ->findOrFail($photos_ids); $this->is_highlighted = static::toBoolean($values[RequestAttribute::IS_HIGHLIGHTED_ATTRIBUTE]); } diff --git a/app/Policies/PhotoPolicy.php b/app/Policies/PhotoPolicy.php index 49640d09447..e3b2902cbf9 100644 --- a/app/Policies/PhotoPolicy.php +++ b/app/Policies/PhotoPolicy.php @@ -290,8 +290,8 @@ public function canHighlight(?User $user, Photo $photo): bool $visibility = $config_manager->getValueAsEnum('photos_star_visibility', PhotoHighlightVisibilityType::class); return match ($visibility) { - PhotoHighlightVisibilityType::ANONYMOUS => true, - PhotoHighlightVisibilityType::AUTHENTICATED => $user !== null, + PhotoHighlightVisibilityType::ANONYMOUS => $this->canSee($user, $photo), + PhotoHighlightVisibilityType::AUTHENTICATED => $user !== null && $this->canSee($user, $photo), PhotoHighlightVisibilityType::EDITOR => $user !== null && $this->canEdit($user, $photo), default => false, }; From 618ca8408d76d216b8065f86976acf43362a1ca9 Mon Sep 17 00:00:00 2001 From: ildyria Date: Mon, 22 Jun 2026 14:24:56 +0200 Subject: [PATCH 2/2] Fix tests --- tests/ImageProcessing/Photo/PhotoStarTest.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/ImageProcessing/Photo/PhotoStarTest.php b/tests/ImageProcessing/Photo/PhotoStarTest.php index b6fa6c754d1..cc376a54334 100644 --- a/tests/ImageProcessing/Photo/PhotoStarTest.php +++ b/tests/ImageProcessing/Photo/PhotoStarTest.php @@ -54,13 +54,13 @@ public function testSetStarPhotoAnonymous(): void $this->assertUnprocessable($response); $response = $this->postJson('Photo::highlight', [ - 'photo_ids' => [$this->photo1->id], + 'photo_ids' => [$this->photo4->id], 'is_highlighted' => true, ]); $this->assertNoContent($response); $response = $this->actingAs($this->userNoUpload)->postJson('Photo::highlight', [ - 'photo_ids' => [$this->photo1->id], + 'photo_ids' => [$this->photo4->id], 'is_highlighted' => true, ]); $this->assertNoContent($response); @@ -74,13 +74,13 @@ public function testSetStarPhotoWithAuthenticatedVisibility(): void $this->assertUnprocessable($response); $response = $this->postJson('Photo::highlight', [ - 'photo_ids' => [$this->photo1->id], + 'photo_ids' => [$this->photo4->id], 'is_highlighted' => true, ]); $this->assertUnauthorized($response); $response = $this->actingAs($this->userNoUpload)->postJson('Photo::highlight', [ - 'photo_ids' => [$this->photo1->id], + 'photo_ids' => [$this->photo4->id], 'is_highlighted' => true, ]); // Under AUTHENTICATED visibility, any logged-in user can star