Fix leak: redact per-person on authed non-member reads #46
Reference in New Issue
Block a user
Delete Branch "fix-authed-nonmember-redaction"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Pre-existing privacy bug (flagged in docs/BACKLOG.md §2.4/§2.10). A logged-in NON-member of a public/unlisted tree could read living people's dates, real alternate names, and download their photos via the family-view endpoints — only the person list was redacted;
list_events/list_relationships/list_names/list_mediagated oncan_view_treealone.For non-members these now delegate to the same
person_visibility-driven reads the public surface uses: living-person events/names dropped, relationships touching a hidden person dropped, media limited to full-visibility persons, andget_media→media_content404s for a redacted/unlinked person's media. Members unchanged.Test: authed non-member sees no living-person PII across events/names/relationships/media and can't download a living person's file; owner still sees all. Full suite 72 passed (ran locally; CI has no pytest).
🤖 Generated with Claude Code