Open thorgrin opened 1 month ago
for me, a user must be logged in (cookies saved on browser) so those informations can be seen, otherwise it will show =>
from my understanding, the information (name, email, ....) are not belonging to the user who shared the Album but from the user already logged in.
The bug
When sharing an album through a public link, at least following information is disclosed:
I believe that disclosing this information is unnecessary. Moreover, the sharing user is probably not aware of this disclosure as it is not indicated anywhere on the shared album directly, only in JSON responses from the server.
Disclosing name and email can lead to potential privacy issues, disclosing originalPath for images discloses unnecessary information about the underlying storage organization (mount points in docker) and can make potential compromise easier for an attacker.
The OS that Immich Server is running on
Ubuntu 22.04.5 LTS
Version of Immich Server
v1.115.0
Version of Immich Mobile App
irrelevant, using browser
Platform with the issue
Your docker-compose.yml content
Your .env content
Reproduction steps
Relevant log output
No response
Additional information
No response