diff --git a/server/e2e/api/specs/asset.e2e-spec.ts b/server/e2e/api/specs/asset.e2e-spec.ts
index 389d66f3ed..e38f08d0ca 100644
--- a/server/e2e/api/specs/asset.e2e-spec.ts
+++ b/server/e2e/api/specs/asset.e2e-spec.ts
@@ -559,6 +559,47 @@ describe(`${AssetController.name} (e2e)`, () => {
expect(status).toBe(200);
expect(body).toMatchObject({ id: asset1.id });
});
+
+ it('should not send people data for shared links for un-authenticated users', async () => {
+ const personRepository = app.get<IPersonRepository>(IPersonRepository);
+ const person = await personRepository.create({ ownerId: asset1.ownerId, name: 'Test Person' });
+
+ await personRepository.createFaces([
+ {
+ assetId: asset1.id,
+ personId: person.id,
+ embedding: Array.from({ length: 512 }, Math.random),
+ },
+ ]);
+
+ const { status, body } = await request(server)
+ .put(`/asset/${asset1.id}`)
+ .set('Authorization', `Bearer ${user1.accessToken}`)
+ .send({ isFavorite: true });
+ expect(status).toEqual(200);
+ expect(body).toMatchObject({
+ id: asset1.id,
+ isFavorite: true,
+ people: [
+ {
+ birthDate: null,
+ id: expect.any(String),
+ isHidden: false,
+ name: 'Test Person',
+ thumbnailPath: '',
+ },
+ ],
+ });
+
+ const sharedLink = await api.sharedLinkApi.create(server, user1.accessToken, {
+ type: SharedLinkType.INDIVIDUAL,
+ assetIds: [asset1.id],
+ });
+
+ const data = await request(server).get(`/asset/assetById/${asset1.id}?key=${sharedLink.key}`);
+ expect(data.status).toBe(200);
+ expect(data.body).toMatchObject({ people: [] });
+ });
});
describe('GET /asset/:id', () => {
diff --git a/server/src/domain/asset/asset.service.ts b/server/src/domain/asset/asset.service.ts
index 4d1abe1872..087a5ebcf2 100644
--- a/server/src/domain/asset/asset.service.ts
+++ b/server/src/domain/asset/asset.service.ts
@@ -321,7 +321,7 @@ export class AssetService {
delete data.owner;
}
- if (data.ownerId !== auth.user.id) {
+ if (data.ownerId !== auth.user.id || auth.sharedLink) {
data.people = [];
}