Fix download bypass on password protected albums

[ildyria]

Summary by CodeRabbit

• Bug Fixes
  • Download access now matches album visibility more consistently, blocking downloads when a user cannot access the album.
  • Password-protected albums now follow the intended access rules for browsing and downloads, preventing unexpected download bypasses.
  • Download behavior remains available where album permissions allow it, including for public albums with the proper download setting.

[coderabbitai]

📝 Walkthrough

Walkthrough

AlbumPolicy::canDownload() gains an early denial when canAccess() returns false, closing a bypass path where anonymous users could download password-protected albums via /api/v2/Zip. A new feature test class exercises the fixed behavior across three scenarios: anonymous download blocked, download denied without the grant flag, and direct policy-level assertion.

Changes

Password-protected album download bypass fix

Layer / File(s)	Summary
canDownload() access gate app/Policies/AlbumPolicy.php	Adds a 5-line early return in canDownload() that evaluates canAccess($user, $abstract_album) first and immediately returns false if it fails, gating all subsequent download logic behind album accessibility.
Feature tests: bypass, negative-control, policy asymmetry tests/Feature_v2/Album/PasswordDownloadBypassTest.php	Adds PasswordDownloadBypassTest with a private setup helper, a PoC test asserting /api/v2/Zip is now denied for anonymous users on a password-protected album, a negative-control test disabling grants_download, and a direct AlbumPolicy resolution test asserting canAccess/canDownload outcomes.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐇 A password's a lock, not just a door,
The bunny patched the zip to check once more.
No sneaking through with streaming tricks,
canAccess guards the download mix.
The tests confirm the bypass is sealed — hooray!

🚥 Pre-merge checks | ✅ 1

✅ Passed checks (1 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 1

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 57e2b3a5-9e8b-4c40-a672-a0be294c3292

📥 Commits

Reviewing files that changed from the base of the PR and between 4df83b4 and 48bc309.

📒 Files selected for processing (2)

• app/Policies/AlbumPolicy.php
• tests/Feature_v2/Album/PasswordDownloadBypassTest.php

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 90.45%. Comparing base (4df83b4) to head (48bc309).
⚠️ Report is 1 commits behind head on master.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.