Skip to content

Fix: shared gallery person management (allows operations with correct WebDAV permissions)#1627

Draft
jacksbox-cassandra wants to merge 3 commits intopulsejet:masterfrom
jacksbox-cassandra:fix/shared-gallery-person-management
Draft

Fix: shared gallery person management (allows operations with correct WebDAV permissions)#1627
jacksbox-cassandra wants to merge 3 commits intopulsejet:masterfrom
jacksbox-cassandra:fix/shared-gallery-person-management

Conversation

@jacksbox-cassandra
Copy link

@jacksbox-cassandra jacksbox-cassandra commented Feb 20, 2026

Fix shared gallery person management permissions

Problem

Users cannot manage face clusters (rename, move, merge faces) for photos uploaded by other users in shared galleries, even when they have full permissions to the shared folder.

Error message: "Only user '{user}' can update this person"

This prevents collaborative face organization in shared family or group galleries.

Root Cause

The frontend components had strict ownership checks (this.user !== utils.uid) that blocked all face management operations on clusters belonging to other users, regardless of shared folder permissions.

Solution

  • Added canManagePersonCluster(personUserId) helper function that checks WebDAV permissions
  • Updated all face management modals to use permission-based access control instead of strict ownership
  • Preserves security by only allowing operations when users have write permissions to the relevant files

Changes Made

  1. New Permission Helper (src/services/utils/helpers.ts):

    • canManagePersonCluster() function using PROPFIND WebDAV requests
    • Checks for write permissions ('W' flag) in oc:permissions
    • Falls back to current user only if permission check fails

  2. Updated Components:

    • FaceEditModal.vue - Person renaming
    • FaceMoveModal.vue - Moving faces between persons
    • FaceMergeModal.vue - Merging face clusters
    • SelectionManager.vue - Removing faces from persons

Testing

  • ✅ Project builds successfully
  • ✅ TypeScript compilation passes
  • ✅ Backward compatibility maintained
  • ✅ No breaking API changes

Security Considerations

  • Permission checks are done on each operation
  • Falls back to restrictive behavior if permissions cannot be determined
  • Uses existing Nextcloud WebDAV permission system
  • No new security vulnerabilities introduced

Fixes

Closes #290

@jacksbox-cassandra
Fix shared gallery person management permissions
64ad462 
- Add canManagePersonCluster helper function to check if current user
  can manage face clusters based on shared folder permissions
- Update FaceEditModal, FaceMoveModal, FaceMergeModal, and SelectionManager
  to use the new permission check instead of strict ownership check
- Allows users to rename, move, and merge face clusters in shared galleries
  when they have appropriate folder permissions

Fixes: pulsejet#290
@jacksbox-cassandra
Update changelog for shared gallery person management fix
99650e5
@jacksbox-cassandra
Add test documentation and PR description for shared gallery fix
d345cef
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Shared Galery Rename or Move Only user "xy" can update this person

1 participant

@jacksbox-cassandra