4.2 KiB
4.2 KiB
v0.2.3 (2026-04-22)
Bot-command scope hardening: commands now see only what their chat is wired to
receive notifications about, closing a leak where a bot serving multiple chats
exposed the whole provider catalog to every chat. Plus a handful of Immich
command fixes (missing public_url enrichment, silently-swallowed search errors,
always-on link previews).
Features
- Per-chat album scope derived from notification routing — for a
(provider, bot, chat_id)triple, the allowed album set is now computed by walkingTargetReceiver → NotificationTarget → NotificationTrackerTarget → NotificationTrackerand unioning the collection IDs./albums,/random,/search,/find,/latest,/memory,/summary,/favorites,/place,/person,/status,/eventsall intersect their results with the resolved scope. Chats with no notification routing for a tracker return nothing rather than leaking the provider's catalog. (3b76a09) - Scope modal relabeled — the per-listener
allowed_album_idsUI is now explicitly an override for this bot (escape hatch when you want a divergent scope for a whole bot); the default is derive from notification routing, which matches what operators have already configured elsewhere. (3b76a09) - Drop tracker counts from
/status—trackers_active/trackers_totalwere per-provider aggregates that would leak info about trackers a chat has no visibility into. Immich default/statustemplates (en, ru) now show only Albums + Last event; the template-editor variable catalog no longer suggests the removed vars for the Immich/statusslot. Note: custom templates that reference{{ trackers_active }}/{{ trackers_total }}need to be updated. (5a232f1)
Bug Fixes
/albumshonors per-chat scope — previously ignoredCommandTrackerListener.allowed_album_idsand listed every album tracked by the provider, so scoped chats saw neighbours' albums. Now applies the same intersect filter the/_cmd_immichmedia commands use. (4ff3876)- Disable Telegram link previews on command text replies — listings (
/albums,/events,/people, …) embed multiple links and were rendering a preview for the first URL regardless of the operator's Disable link previews toggle.send_replynow always passesdisable_web_page_preview=True. (4ff3876) - Restore
public_urlenrichment on/search,/find,/person,/place—_enrich_assets's return value was being discarded, dropping the public URL populated on each asset. Now assigned properly. (3b76a09) - Surface Immich search errors instead of silently returning
[]—search_smart/search_metadataconsolidated into a_search_itemshelper that logs non-200 responses and transport errors, and accepts the alternate{"assets": [...]}flat-list shape from older Immich versions. "Always no results" bugs are now diagnosable. (3b76a09) - Redact Immich search error bodies before they land in server logs — credentials echoed by authenticating proxies no longer leak into logs. (3b76a09)