Download button is visible and does not support download rights yet. (backend is fine).

[WolfRevo]

Detailed description of the problem [REQUIRED]

Hi,

yesterday I installed lychee 4.7.0 using the official docker container, so this is basically my docker-compose file:

cat <fancy path>/docker-compose.yml
#-------------------------------------------
#  Docker Compose
# @RobLandry
# Repo : https:/LycheeOrg/Lychee-Laravel-Docker
#-------------------------------------------

version: '3'

services:
  lychee_db:
    container_name: lychee_db
    image: mariadb:10
    environment:
      - MYSQL_ROOT_PASSWORD=<substituted fancy PW>
      - MYSQL_DATABASE=lychee
      - MYSQL_USER=lychee
      - MYSQL_PASSWORD=<substituted fancy second PW>
    expose:
      - 3306
    volumes:
      - mysql:/var/lib/mysql
    networks:
      - lychee
    dns:
      - <fancy DNS IP>
#    security_opt: ## commented out to proof it's not the cause
#      - no-new-privileges:true
    deploy:
      resources:
        limits:
          cpus: '0.25'
          memory: 4G
        reservations:
          memory: 500M
    restart: unless-stopped
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
      - "traefik.enable=true"

  lychee:
    image: lycheeorg/lychee:dev
    container_name: lychee
    ports:
      - 90:80
    volumes:
      - ./lychee/conf:/conf
      - ./lychee/uploads:/uploads
      - ./lychee/sym:/sym
    networks:
      - lychee
      - proxy
    environment:
      - PHP_TZ=Europe/Berlin
      - TIMEZONE=Europe/Berlin
      - DB_CONNECTION=mysql
      - DB_HOST=lychee_db
      - DB_PORT=3306
      - DB_DATABASE=lychee
      - DB_USERNAME=lychee
      - DB_PASSWORD=<substituted fancy second PW>
      - STARTUP_DELAY=30
    dns:
      - <fancy DNS IP>
#    security_opt: ## commented out to proof it's not the cause
#      - no-new-privileges:true
    deploy:
      resources:
        limits:
          cpus: '0.25'
          memory: 2G
        reservations:
          memory: 250M
    restart: unless-stopped
    depends_on:
      - lychee_db
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
      - "traefik.enable=true"
      - "traefik.docker.network=proxy"

      - "traefik.http.routers.lychee.entryPoints=https"
      - "traefik.http.routers.lychee.rule=Host(`<fancy private URL>`)"
      - "traefik.http.routers.lychee.tls=true"
      - "traefik.http.routers.lychee.tls.certResolver=http"
      - "traefik.http.routers.lychee.middlewares= default@file"
      - "traefik.http.routers.lychee.service=lychee"
      - "traefik.http.services.lychee.loadBalancer.server.port=80"
      - "traefik.http.services.lychee.loadbalancer.sticky.cookie.httpOnly=true"
      - "traefik.http.services.lychee.loadbalancer.sticky.cookie.secure=true"

networks:
  lychee:
  proxy:
    external: true

volumes:
  mysql:

So with that lychee is perfectly fine reachable via my private URL or locally directly connected to the server (http://<fancy IP>:90) and working as authenticated user (either admin or standard user) looks also fine.
As my intention is to use this a way to provide access to specific albums to people without them having an account but still don't want to have the pictures fully publicly exposed to the internet I want to achieve this by the following anonymous settings for my test album:

Accessing the album without user looks good in the first place:

Downloading the full album works also as intented (I tried the download and it works):

Now I want the anon-user also to be able to download only specific pictures in different sizes (as set per user settings above), but selecting a picture does not show the three dots in the right to download a picture:

Interestingly if I change the anon-settings to a wrong state:

the anon-user should not be able to see the three dots or to download the picture, but:

now he sees the three dots and is also able to click on the different sizes:

luckily the permissions are still fine:

I checked your demo page and there it seems to be all right. So did I do something wrong in my docker setup or in the configuration?

Steps to reproduce the issue

Steps to reproduce the behavior:
See the detailed description above, it contains my steps.

Screenshots
See the screenshots above.

Output of the diagnostics [REQUIRED]

    Diagnostics
    -------
    Warning: Dropbox import not working. dropbox_key is empty.
    Info: Latest version of PHP is 8.2
    Warning: git (software) is not available.
    Foreign key: albums.parent_id               → albums.id            : RESTRICT
    Foreign key: albums.id                      → base_albums.id       : RESTRICT
    Foreign key: albums.cover_id                → photos.id            : CASCADE
    Foreign key: base_albums.owner_id           → users.id             : RESTRICT
    Foreign key: photos.album_id                → albums.id            : RESTRICT
    Foreign key: photos.owner_id                → users.id             : RESTRICT
    Foreign key: size_variants.photo_id         → photos.id            : RESTRICT
    Foreign key: sym_links.size_variant_id      → size_variants.id     : RESTRICT
    Foreign key: tag_albums.id                  → base_albums.id       : RESTRICT
    Foreign key: user_base_album.base_album_id  → base_albums.id       : CASCADE
    Foreign key: user_base_album.user_id        → users.id             : CASCADE




    System Information
    --------------
    Lychee Version (git):                    master (26d9b75) -- 2 commits behind 1dd61c1 (2 seconds ago)
    DB Version:                              4.7.0
    
    composer install:                        --no-dev
    APP_ENV:                                 production
    APP_DEBUG:                               false
    
    System:                                  Linux
    PHP Version:                             8.1.12
    PHP User agent:                          Lychee/4 (https://lycheeorg.github.io/)
    Timezone:                                Europe/Berlin
    Max uploaded file size:                  100M
    Max post size:                           100M
    Max execution time:                      3600
    MySQL Version:                           10.10.2-MariaDB-1:10.10.2+maria~ubu2204
    
    exec() Available:                        yes
    Imagick Available:                       1
    Imagick Enabled:                         1
    Imagick Version:                         1691
    GD Version:                              2.3.3
    Number of foreign key:                   11 found.




    Config Information
    --------------
    version:                                 040700
    check_for_updates:                       0
    sorting_photos_col:                      taken_at
    sorting_photos_order:                    ASC
    sorting_albums_col:                      max_taken_at
    sorting_albums_order:                    ASC
    imagick:                                 1
    skip_duplicates:                         0
    small_max_width:                         0
    small_max_height:                        360
    medium_max_width:                        1920
    medium_max_height:                       1080
    lang:                                    en
    layout:                                  1
    image_overlay_type:                      desc
    default_license:                         none
    compression_quality:                     90
    grants_full_photo_access:                1
    delete_imported:                         0
    mod_frame_enabled:                       1
    mod_frame_refresh:                       30
    thumb_2x:                                1
    small_2x:                                1
    medium_2x:                               1
    landing_page_enable:                     0
    site_owner:                              Wolf Revo
    landing_title:                           Wolf Revo
    landing_subtitle:                        
    sm_facebook_url:                         
    sm_flickr_url:                           
    sm_twitter_url:                          
    sm_instagram_url:                        
    sm_youtube_url:                          
    landing_background:                      dist/cat.webp
    site_title:                              Wolfi's Bilderbude
    footer_show_copyright:                   1
    site_copyright_begin:                    2015
    site_copyright_end:                      2023
    footer_additional_text:                  
    footer_show_social_media:                0
    public_search:                           0
    SL_enable:                               0
    SL_for_admin:                            0
    public_recent:                           0
    recent_age:                              1
    public_starred:                          0
    grants_download:                         0
    photos_wraparound:                       1
    map_display:                             0
    zip64:                                   1
    map_display_public:                      0
    map_provider:                            Wikimedia
    force_32bit_ids:                         0
    map_include_subalbums:                   0
    update_check_every_days:                 3
    has_exiftool:                            1
    share_button_visible:                    0
    import_via_symlink:                      0
    has_ffmpeg:                              1
    location_decoding:                       0
    location_decoding_timeout:               30
    location_show:                           0
    location_show_public:                    0
    rss_enable:                              0
    rss_recent_days:                         7
    rss_max_items:                           100
    prefer_available_xmp_metadata:           0
    editor_enabled:                          1
    lossless_optimization:                   0
    swipe_tolerance_x:                       150
    swipe_tolerance_y:                       250
    local_takestamp_video_formats:           .avi|.mov
    log_max_num_line:                        1000
    unlock_password_photos_with_url_param:   0
    nsfw_visible:                            0
    nsfw_blur:                               0
    nsfw_warning:                            0
    nsfw_warning_admin:                      0
    nsfw_banner_override:                    
    map_display_direction:                   1
    album_subtitle_type:                     oldstyle
    upload_processing_limit:                 4
    public_photos_hidden:                    1
    new_photos_notification:                 0
    legacy_id_redirection:                   1
    zip_deflate_level:                       6
    SA_enabled:                              1
    default_album_protection:                1
    album_decoration:                        layers
    album_decoration_orientation:            row
    allow_username_change:                   1

Browser and system

Windows 10, Firefox, Edge, Chrome (tested with them all)

[ildyria]

I checked your demo page and there it seems to be all right.

Demo page is outdated.

luckily the permissions are still fine

Which means that it is a bug in the front-end.

BTW you don't really need the password if you are already hidden. The albumId string is 128 of entropy, so you are pretty safe against brute-forcing attacks...

Given that the backend is still blocking and working as expected I would consider this as Low priority.
It is also a nice bug for those who wants to start diving in the code.

[WolfRevo]

BTW you don't really need the password if you are already hidden. The albumId string is 128 of entropy, so you are pretty safe against brute-forcing attacks...

Thanks. Yes I tested that as well and picture download isn't possible too. As the album download works either way I am also fine with "low priority" 🤭

[ildyria]

I forgot to say, thank you for the comprehensive tests and detailed report. Very much appreciated. ❤️

[WolfRevo]

I forgot to say, thank you for the comprehensive tests and detailed report. Very much appreciated. ❤️

You are welcome!

Short comment on your changed title: this is not fully reflecting the issue. The Download button is shown when it should not be and is missing when it should be shown. Looks like a simple reverse in the if-logic. Unfortunately I was not able to dig into the code that quicky to understand where I would find this logic.

[ildyria]

photo/album should now have an array rights which has the attribute can_download.
That is what the value should be checked against.

https:/LycheeOrg/Lychee-front/blob/master/scripts/main/header.js#L295
https:/LycheeOrg/Lychee-front/blob/master/scripts/main/header.js#L498
https:/LycheeOrg/Lychee-front/blob/master/scripts/main/contextMenu.js#L113
https:/LycheeOrg/Lychee-front/blob/master/scripts/main/contextMenu.js#L355
https:/LycheeOrg/Lychee-front/blob/master/scripts/main/contextMenu.js#L504

[WolfRevo]

https:/LycheeOrg/Lychee-front/blob/master/scripts/main/contextMenu.js#L510

I think there is a typo:
const showDownload = album.isUploadable() || photo.json.grant_download;
everywhere else, its called grants_download (based on this information)
So it should be:
const showDownload = album.isUploadable() || photo.json.grants_download;
I don't have the time to create a test environment. But if someone could just give a comment if this might be the problem I can create a PR.

[ildyria]

I think there is a typo: const showDownload = album.isUploadable() || photo.json.grant_download; everywhere else, its called grants_download (based on this information) So it should be: const showDownload = album.isUploadable() || photo.json.grants_download; I don't have the time to create a test environment. But if someone could just give a comment if this might be the problem I can create a PR.

No, photo.json.rights.can_download should be used instead.
#1481 (comment)

[WolfRevo]

No, photo.json.rights.can_download should be used instead. #1481 (comment)

Ok, understood. Still I have the issue not being able to easily create a test enviroment (I just don't have the time 😮) to change the code and run the changed frontend to test it myself. Otherwise I already would have done a PR 😀

[ildyria]

There is no hurry, we are all under time pressure. :)
I could fix it in little time but more pressing matters at hand.
Also because I am currently rewriting the front-end, this will also ultimately be fixed with #1303

[WolfRevo]

I will exercise in my patience then 🙏

[ildyria]

I will exercise in my patience then pray

FYI we are talking about months before #1303 is merged. 😅

• : complete implementation (x months, where x > 1)
• : add documentation (1 month)
• : First round of reviews (1 month)
• : Fix changes requests (1 month)
• : Another round of reviews (1 month)
• : Merge

[WolfRevo]

Short feedback: works as intended with 4.7.1 dev 👍

Lychee Version: 4.7.1 (dev)
Lychee Commit:  5533538
https:/LycheeOrg/Lychee/commit/5533538d6a820ac561f49941f144f7b19a218a33