Fix hidden albums leaking via "present in albums" list

[Copilot]

When a photo exists in both a visible album and a hidden (link-required) album, the /Photo/{id}/albums endpoint was exposing the hidden album to any user who could see the photo — leaking the album's existence and granting unintended access.

Root cause

PhotoController::albums() filtered using AlbumPolicy::canAccess(), which returns true for any public album regardless of is_link_required. Albums with is_link_required = true are intentionally hidden from listings but were surfaced through this endpoint.

Changes

• PhotoController::albums() — replaces the canAccess filter with an explicit visibility check:

  • Owner → always included
  • Explicitly shared user (current_user_permissions !== null) → included
  • Public album → only included if is_link_required === false (and not password-locked)

• GetPhotoAlbumsTest — adds regression test testHiddenAlbumNotShownToNonOwner: photo in a visible public album + a hidden (link-required) album; verifies the hidden album is absent from the response for unauthenticated users.

// Before — hides nothing link-required
->filter(fn ($album) => $album_policy->canAccess($user, $album))

// After — respects listing visibility
$public_perm = $album->public_permissions();
return $public_perm !== null
    && $public_perm->is_link_required === false
    && ($public_perm->password === null || $album_policy->isUnlocked($album));

[codecov]

Codecov Report

❌ Patch coverage is 91.66667% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 90.23%. Comparing base (46c372d) to head (597bcee).

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.