search

LycheeOrg / Lychee

A great looking and easy-to-use photo-management-system you can run on your server, to manage and share photos.
https://lycheeorg.github.io/
MIT License
3.42k stars 303 forks source link

Password Protection results in 403 after upgrade from 2024-04-24 to 6.0.0 (and 6.0.1) #2675

Open crtvrmn opened 1 week ago

crtvrmn commented 1 week ago

Pre-Update you got a link and anon could access the picture folder with the password. After the update the password prompt does not show up, but a 403 Error. If i remove the password from the picture folder, its accessible.

error remains, even after updating to 6.0.1 (debug info is 20 minutes dated)

with password protection 172.20.0.1 - - [05/Nov/2024:09:30:02 +0000] "GET /gallery/X5EGAVTLZloefQwOOho5AfRf HTTP/1.1" 403 719 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36" "redacted" without password protection 172.20.0.1 - - [05/Nov/2024:10:16:14 +0000] "GET /api/v2/Album?album_id=X5EGAVTLZloefQwOOho5AfRf HTTP/1.1" 200 31162 "-" "Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) SamsungBrowser/26.0 Chrome/122.0.0.0 Mobile Safari/537.36" "redacted"

debug info from 6.0.0

Lychee Version (tag):                      v6.0.0 (d25cd64) -- 1 tags behind v6.0.1 (-8.8195172818366E-6 years ago)
DB Version:                                6.0.0
composer install:                          --no-dev
APP_ENV:                                   production
APP_DEBUG:                                 true
APP_URL:                                   set
APP_DIR:                                   default
LOG_VIEWER_ENABLED:                        true
VUEJS_ENABLED:                             true
PHOTO_PIPES:                               true
System:                                    Linux
PHP Version:                               8.2.24
PHP User agent:                            Lychee/4 (https://lycheeorg.github.io/)
Timezone:                                  Europe/Berlin
Max uploaded file size:                    100M
Max post size:                             100M
Chunk size:                                25.60 MB
Max execution time:                        3600
MySQL Version:                             10.11.9-MariaDB-ubu2204
exec() Available:                          yes
Imagick Available:                         1
Imagick Enabled:                           1
Imagick Version:                           1691
GD Version:                                2.3.3
Number of foreign key:                     12 found.

from my docker compose lychee: image: lycheeorg/lychee

any tips are appreciated, i guess i missed some 'breaking changes'

ildyria commented 1 week ago

That is not supposed to be a breaking change, but is clearly a bug. I will check what is going wrong.

Unfortunately I am quite busy, so that will have to wait a tiny bit.

Gendra13 commented 4 hours ago

I can confirm that I have the same issue with 6.0.1 Whenever I am trying to access a password protected album, I receive a 403 error even without beeing asked for a password.