Merge branch 'master' into assisted-vision

Author: ildyria

.github/workflows/CICD.yml

@@ -34,7 +34,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
         with:
           egress-policy: audit
 
@@ -63,7 +63,7 @@ jobs:
       - php_syntax_errors
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
         with:
           egress-policy: audit
 
@@ -88,7 +88,7 @@ jobs:
       - php_syntax_errors
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
         with:
           egress-policy: audit
 
@@ -114,7 +114,7 @@ jobs:
       - php_syntax_errors
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
         with:
           egress-policy: audit
 
@@ -157,7 +157,7 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
         with:
           egress-policy: audit
 
@@ -201,7 +201,7 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
         with:
           egress-policy: audit
 
@@ -246,7 +246,7 @@ jobs:
             type=ref,event=tag
 
       - name: Build and push Docker image
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
         with:
           push: true
           platforms: linux/amd64,linux/arm64
@@ -266,7 +266,7 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
         with:
           egress-policy: audit
 
@@ -310,7 +310,7 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
         with:
           egress-policy: audit
 
@@ -356,7 +356,7 @@ jobs:
             type=ref,event=tag
 
       - name: Build and push Docker image
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
         with:
           push: true
           file: Dockerfile-legacy
@@ -386,7 +386,7 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
         with:
           egress-policy: audit
 
@@ -401,7 +401,7 @@ jobs:
           coverage: none
 
       - name: Use Node.js 20
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
             node-version: 20
 
@@ -410,7 +410,7 @@ jobs:
           make clean dist
 
       - name: Upload build artifact
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: Lychee.zip
           path: Lychee.zip
@@ -478,7 +478,7 @@ jobs:
           COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
 
       - name: Create release
-        uses: softprops/action-gh-release@153bb8e04406b158c6c84fc1615b65b24149a1fe # v2.6.1
+        uses: softprops/action-gh-release@b4309332981a82ec1c5618f44dd2e27cc8bfbfda # v3.0.0
         with:
           files: |
             Lychee.zip.sigstore.json

.github/workflows/build-demo.yml

@@ -18,7 +18,7 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
         with:
           egress-policy: audit
 
@@ -55,7 +55,7 @@ jobs:
             type=raw,value=demo
 
       - name: Build and push Docker image
-        uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
+        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
         with:
           push: true
           file: Dockerfile-demo

.github/workflows/codeql.yml

@@ -41,7 +41,7 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
         with:
           egress-policy: audit
 

.github/workflows/copilot-setup-steps.yml

@@ -41,15 +41,15 @@ jobs:
         uses: ramsey/composer-install@65e4f84970763564f46a70b8a54b90d033b3bdda # 4.0.0
 
       - name: Use Node.js
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: 22
 
       - name: Install Js dependencies
         run: npm ci -D
 
       - name: Set up uv
-        uses: astral-sh/setup-uv@cec208311dfd045dd5311c1add060b2062131d57 # v8.0.0
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
         with:
           enable-cache: true
 

.github/workflows/dependency-review.yml

@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
         with:
           egress-policy: audit
 

.github/workflows/js_check.yml

@@ -17,15 +17,15 @@ jobs:
           - 22
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
         with:
           egress-policy: audit
 
       - name: Checkout code
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6.4.0
         with:
           node-version: ${{ matrix.node-version }}
 

.github/workflows/php_dist.yml

@@ -42,7 +42,7 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
         with:
           egress-policy: audit
 

.github/workflows/php_tests.yml

@@ -68,7 +68,7 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
         with:
           egress-policy: audit
 

.github/workflows/scorecard.yml

@@ -32,7 +32,7 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
+        uses: step-security/harden-runner@8d3c67de8e2fe68ef647c8db1e6a09f647780f40 # v2.19.0
         with:
           egress-policy: audit
 
@@ -64,7 +64,7 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: SARIF file
           path: results.sarif

app/Actions/Admin/BulkEditAlbumsAction.php

@@ -0,0 +1,160 @@
+<?php
+
+/**
+ * SPDX-License-Identifier: MIT
+ * Copyright (c) 2017-2018 Tobias Reich
+ * Copyright (c) 2018-2026 LycheeOrg.
+ */
+
+namespace App\Actions\Admin;
+
+use App\Actions\Album\SetProtectionPolicy;
+use App\DTO\BulkAlbumPatchData;
+use App\Http\Resources\Models\Utils\AlbumProtectionPolicy;
+use App\Models\Album;
+use App\Models\BaseAlbumImpl;
+
+/**
+ * Applies a partial set of metadata and/or visibility changes to a batch of albums.
+ *
+ * Changes are applied within the caller's DB transaction.
+ * Fields absent from the payload are left unchanged.
+ *
+ * Three groups are processed separately:
+ *   1. base_albums columns  → chunked mass UPDATE via BaseAlbumImpl
+ *   2. albums columns       → chunked mass UPDATE via Album
+ *   3. Visibility fields    → per-album via SetProtectionPolicy::do()
+ */
+class BulkEditAlbumsAction
+{
+	private SetProtectionPolicy $set_protection_policy;
+
+	public function __construct()
+	{
+		$this->set_protection_policy = new SetProtectionPolicy();
+	}
+
+	/**
+	 * Apply the partial payload to all specified album IDs.
+	 *
+	 * Only fields that were present in the original request (tracked via
+	 * {@see BulkAlbumPatchData::has()}) are updated; absent fields are left
+	 * unchanged.
+	 *
+	 * @param BulkAlbumPatchData $data validated, typed patch payload
+	 */
+	public function do(BulkAlbumPatchData $data): void
+	{
+		$album_ids = $data->album_ids;
+
+		// ── Group 1: base_albums columns ─────────────────────────────────────
+		$base_data = [];
+
+		if ($data->has('description')) {
+			$base_data['description'] = $data->description;
+		}
+		if ($data->has('copyright')) {
+			$base_data['copyright'] = $data->copyright;
+		}
+		if ($data->has('photo_layout')) {
+			$base_data['photo_layout'] = $data->photo_layout?->value;
+		}
+		if ($data->has('photo_sorting_col')) {
+			$base_data['sorting_col'] = $data->photo_sorting_col?->value;
+		}
+		if ($data->has('photo_sorting_order')) {
+			$base_data['sorting_order'] = $data->photo_sorting_order?->value;
+		}
+		if ($data->has('photo_timeline')) {
+			$base_data['photo_timeline'] = $data->photo_timeline?->value;
+		}
+		if ($data->has('is_nsfw')) {
+			$base_data['is_nsfw'] = $data->is_nsfw;
+		}
+
+		if ($base_data !== []) {
+			BaseAlbumImpl::query()
+				->whereIn('id', $album_ids)
+				->update($base_data);
+		}
+
+		// ── Group 2: albums columns ───────────────────────────────────────────
+		$album_data = [];
+
+		if ($data->has('license')) {
+			$album_data['license'] = $data->license?->value;
+		}
+		if ($data->has('album_thumb_aspect_ratio')) {
+			$album_data['album_thumb_aspect_ratio'] = $data->album_thumb_aspect_ratio?->value;
+		}
+		if ($data->has('album_timeline')) {
+			$album_data['album_timeline'] = $data->album_timeline?->value;
+		}
+		if ($data->has('album_sorting_col')) {
+			$album_data['album_sorting_col'] = $data->album_sorting_col?->value;
+		}
+		if ($data->has('album_sorting_order')) {
+			$album_data['album_sorting_order'] = $data->album_sorting_order?->value;
+		}
+
+		if ($album_data !== []) {
+			Album::query()
+				->whereIn('id', $album_ids)
+				->update($album_data);
+		}
+
+		// ── Group 3: Visibility fields ────────────────────────────────────────
+		$has_visibility = $data->has('is_public') ||
+			$data->has('is_link_required') ||
+			$data->has('grants_full_photo_access') ||
+			$data->has('grants_download') ||
+			$data->has('grants_upload');
+
+		if ($has_visibility) {
+			/** @var Album[] $albums */
+			$albums = Album::query()
+				->with('base_class.access_permissions')
+				->whereIn('id', $album_ids)
+				->get()
+				->all();
+
+			foreach ($albums as $album) {
+				$existing = $album->public_permissions();
+
+				// Derive current values as defaults, then overlay payload
+				$is_public = $data->has('is_public')
+					? ($data->is_public === true)
+					: ($existing !== null);
+				$is_link_required = $data->has('is_link_required')
+					? ($data->is_link_required === true)
+					: ($existing?->is_link_required === true);
+				$grants_full_photo_access = $data->has('grants_full_photo_access')
+					? ($data->grants_full_photo_access === true)
+					: ($existing?->grants_full_photo_access === true);
+				$grants_download = $data->has('grants_download')
+					? ($data->grants_download === true)
+					: ($existing?->grants_download === true);
+				$grants_upload = $data->has('grants_upload')
+					? ($data->grants_upload === true)
+					: ($existing?->grants_upload === true);
+
+				// is_nsfw may have been updated in group 1 via mass-update;
+				// use the payload value if present, else the model value.
+				$is_nsfw = $data->has('is_nsfw')
+					? ($data->is_nsfw === true)
+					: ($album->is_nsfw === true);
+
+				$protection_policy = new AlbumProtectionPolicy(
+					is_public: $is_public,
+					is_link_required: $is_link_required,
+					is_nsfw: $is_nsfw,
+					grants_full_photo_access: $grants_full_photo_access,
+					grants_download: $grants_download,
+					grants_upload: $grants_upload,
+				);
+
+				$this->set_protection_policy->do($album, $protection_policy, false, null);
+			}
+		}
+	}
+}